Welcome to the Plaso documentation!

Plaso (Plaso Langar Að Safna Öllu) is a computer forensic tool for timeline generation and analysis.

Plaso’s documentation is split into several parts:

• User documentation
• Developer documentation
• API documentation

The project’s code is available from https://github.com/log2timeline/plaso

Plaso is licensed under the Apache license version 2.

Contents:

User documentation

User’s Guide

How to get started

First determine which version of plaso is must suitable to your needs, for more information see Releases and roadmap

Installing the packaged release

To install the packaged release see:

MacOS Packaged Release

To install the MacOS packaged release of plaso you need to download the latest version from https://github.com/log2timeline/plaso/releases

Attached to the most recent release (as of this time version 20170930) is a DMG file.

The DMG file can be either opened by double clicking it or by using the command line.

hdiutil attach plaso-20170930_macosx-10.12.dmg

The terminal has to be used to install the tool itself.

cd /Volumes/plaso-20170930
sudo ./install.sh

Then the DMG can be unmounted either via the GUI or the command line:

hdiutil detach /Volumes/plaso-20170930

Mac OS X 10.11 (El Capitan) and higher

Note that Mac OS X 10.11 (El Capitan) comes with pyparsing 2.0.1 and disallows removing these files by default. To be able to remove the files you’ll have to disable System Integrity Protection (SIP or rootless), which is not recommended since some system scripts can depend on this version of pyparsing.

Alternatively you can override PYTHONPATH e.g.:

PYTHONPATH=/Library/Python/2.7/site-packages/ log2timeline.py

Which you can alias e.g.

alias log2timeline.py="PYTHONPATH=/Library/Python/2.7/site-packages/ log2timeline.py"

Or use the shell script helpers provided in the DMG e.g.

log2timeline.sh

Installing Plaso on Ubuntu

SANS Investigative Forensic Toolkit (SIFT) Workstation

SIFT workstation version 3 adds the GIFT PPA stable track. All you need to do get the most recent stable release of Plaso is:

sudo apt-get update
sudo apt-get install python-plaso plaso-tools

Ubuntu 14.04 and 16.04 LTS

To install plaso from the GIFT Personal Package Archive (PPA) you’ll need to have Ubuntu universe enabled:

sudo add-apt-repository universe
sudo apt-get update

Not necessary but we recommend that your Ubuntu installation is up to date:

sudo apt-get upgrade

Add the GIFT PPA:

sudo add-apt-repository ppa:gift/stable

Update and install plaso:

sudo apt-get update
sudo apt-get install python-plaso plaso-tools

Windows Packaged Release

To install the Windows Packaged Release plaso you need to download the latest version from https://github.com/log2timeline/plaso/releases

Attached to the most recent release (as of this time version 20170930) is a ZIP file.

The name of the ZIP file contains:

• amd64 which indicates the architecture of the binaries in the ZIP.
• vs2008 or vs2010 which indicates the Visual Studio version used to build the binaries. You’ll need to have the corresponding Visual C++ Redistributable package installed, which you can obtain from Microsoft Download Center.

Extract the ZIP file and you’re ready to log2timeline.

Plaso in a Docker container

Install Docker on Ubuntu

apt-get install docker.io

Build an image

From Docker Public Registry

$ docker pull log2timeline/plaso

From Dockerfile

$ git clone https://github.com/log2timeline/plaso
$ cd log2timeline/plaso/config/docker/
$  docker build -f plaso-from-ppa.dockerfile .

Export the Plaso docker image to a non-internet connected system

Figure out the name of the docker image you want to run, using the IMAGE ID (docker images will list all the images you have installed) if you’ve built from the Dockerfile. Use “log2timeline/plaso” if you’ve just made the image from the Docker Registry

First, export the image: $ docker save <CONTAINER_NAME> | gzip -c > saved_docker_image.tgz

Then copy saved_docker_image.tgz to an external disk.

Finally, on the other system, and from the mounted external disk, run:

$ zcat saved_docker_image.tgz | docker load

Run Plaso from your new docker image

Figure out the name of the docker image you want to run (see before)

First start the extraction with log2timeline. Should your evidence files/images should be present on the host, and not in the container (which is the default scenario), you’ll have to set up a bridge between the two. For example, if you store your current evidences to analyse in /data/evidences/, you could tell log2timeline to generate the plaso storage file as /data/evidences.plaso this way: ```$ docker run -v /data/:/data log2timeline/plaso log2timeline /data/evidences.plaso /data/evidences``

This way your plaso file will also be stored on the host filesystem.

Next step is to run analysis with psort:

$ docker run -v /data/:/data log2timeline/plaso psort /data/evidences.plaso 
Datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index
....
Processing completed.

*********************************** Counter ************************************
     Stored Events : 251
   Events Included : 251
Duplicate Removals : 23
--------------------------------------------------------------------------------

Last step, forensication, is left to the reader.

The entry_point of the docker container is plaso-switch.sh. It understands the following commands, and runs the appropriate programs: log2timeline or log2timeline.py pinfo or pinfo.py preg or preg.py psort or psort.py

If you’re not interested in running any of these, and just want to drop to a prompt inside your Plaso container, you can run: docker run -t -i --entrypoint=/bin/bash -v /data:/data log2timeline.plaso

If you run into problems installing, check out the installation troubleshooting guide

Before we start

Please report all discovered bugs on the issue tracker.

To follow announcements from the plaso team or send in generic inquiries or discuss the tool, please subscribe to the log2timeline-discuss mailing list or join the G+ community.

I know the good old Perl version

If you are one of those people that liked the old perl version of log2timeline but really would like to switch use all the nifty features of the Python version. Fear not, here is a guide to help you migrate.

The tools

Though plaso initially was created in mind to replace the Perl version of log2timeline, its focus has shifted from a stand-alone tool to a set of modules that can be used in various use cases. Fear not plaso is not a developers only project it also includes several command line tools, each with its specific purpose. Currently these are:

Using image_export.py

PAGE WIP

image_export is a command line tool to export file content from a storage media image or device based on various filter criteria, such as extension names, filter paths, file format signature identifiers, file creation date and time ranges, etc.

Usage

To get a full list of parameters that can be passed to the tool use the -h or --help switch.

There are several ways to define how you want to find the files to extract:

• Based on path, filename or extension name
• Based on time range
• Based on format signature

Path, filename or extension

discuss here:

--names NAMES

-f FILE_FILTER

collection filters

-x EXTENSIONS, --extensions EXTENSIONS

Time range

–date-filter TYPE_START_END, –date_filter TYPE_START_END

Format signature

–signatures IDENTIFIERS

Other options

Talk about: –data -w PATH

–include_duplicates

–no_vss –vss_stores VSS_STORES

Using log2timeline.py

This page is still a work in progress and will most likely change significantly

Usage

log2timeline is a command line tool to extract events from individual files, recursing a directory (e.g. mount point) or storage media image or device. log2timeline creates a plaso storage file which can be analyzed with the pinfo and psort tools.

The plaso storage file contains the extracted events and various metadata about the collection process alongside information collected from the source data. It may also contain information about tags applied to events and reports from analysis plugins.

Running the tool

To get a complete list of all switches and parameters to the tool, use -h or --help.

This guide will cover the most basic options and then discuss some of the perhaps less used ones.

The first option is the --info which prints out information about all supported plugins, parsers, output modules, etc.

$ log2timeline.py --info
======================== log2timeline/plaso information ========================

******************************** Parser Presets ********************************
                  android : android_app_usage, android_calls, android_sms
                    linux : bencode, filestat, google_drive, java_idx, olecf,
                            openxml, pls_recall, popularity_contest, selinux,
                            skype, syslog, utmp, webhist, xchatlog,
                            xchatscrollback, zeitgeist
                   macosx : appusage, asl_log, bencode, bsm_log, cups_ipp,
                            filestat, google_drive, java_idx, ls_quarantine,
                            mac_appfirewall_log, mac_document_versions,
                            mac_keychain, mac_securityd, mackeeper_cache,
                            macwifi, olecf, openxml, plist, skype, utmpx,
                            webhist
...

The simplest way, and perhaps the most common way to run the tool is without any additional parameters, only defining the output and input. The output is the path and filename of the storage file while the input is the location of the source, whether that is a single file, storage media, device or a mount point. The tool will go through the entire data set and produce a “kitchen sink” timeline, containing information extracted from all discovered files.

$ log2timeline.py OUTPUT INPUT

An example run:

$ log2timeline.py test.plaso test.vhd 

Source path : /PATH/test.vhd
Source type : storage media image

Processing started.
2015-07-16 16:53:58,808 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: sysregistry to /WINDOWS/system32/config
2015-07-16 16:53:58,820 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: systemroot to /WINDOWS
2015-07-16 16:53:58,834 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: windir to /WINDOWS
2015-07-16 16:53:59,937 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: users to [{u'path': u'%systemroot%\\system32\\config\\systemprofile', u'name': u'systemprofile', u'sid': u'S-1-5-18'}, {u'path': u'%SystemDrive%\\Documents and Settings\\LocalService', u'name': u'LocalService', u'sid': u'S-1-5-19'}, {u'path': u'%SystemDrive%\\Documents and Settings\\NetworkService', u'name': u'NetworkService', u'sid': u'S-1-5-20'}, {u'path': u'%SystemDrive%\\Documents and Settings\\Mr. Evil', u'name': u'Mr. Evil', u'sid': u'S-1-5-21-2000478354-688789844-1708537768-1003'}]
2015-07-16 16:54:01,038 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: programfiles to Program Files
2015-07-16 16:54:02,128 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: programfilesx86 to None
2015-07-16 16:54:03,300 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: osversion to Microsoft Windows XP
2015-07-16 16:54:04,311 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: code_page to cp1252
2015-07-16 16:54:05,368 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: hostname to N-1A9ODN6ZXK4LQ
2015-07-16 16:54:06,436 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: time_zone_str to CST6CDT
2015-07-16 16:54:06,437 [INFO] (MainProcess) PID:98252 <extraction_frontend> Parser filter expression changed to: winxp
2015-07-16 16:54:06,437 [INFO] (MainProcess) PID:98252 <extraction_frontend> Setting timezone to: CST6CDT
Worker_00 (PID: 98257) - events extracted: 596 - file: TSK:/Documents and Settings/All Users/Start Menu/Programs/Look@LAN/Look@LAN on the WEB.lnk - running: True <running>
Worker_01 (PID: 98258) - events extracted: 422 - file: TSK:/Documents and Settings/All Users/Start Menu/Programs/Look@LAN/License.lnk - running: True <running>
Worker_02 (PID: 98259) - events extracted: 4 - file: TSK:/hiberfil.sys - running: True <running>
...
Worker_03 (PID: 98273) - events extracted: 14169 - file: TSK:/WINDOWS/Installer/{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}/places.exe - running: True <running>
Worker_04 (PID: 98274) - events extracted: 20672 - file: TSK:/$RECYCLE.BIN/S-1-5-21-4281732234-1149440973-2434181300-1000/desktop.ini - running: True <running>
Worker_05 (PID: 98275) - events extracted: 12500 - file: TSK:/$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000002 - running: True <running>
All extraction workers completed - waiting for storage.
Processing completed.

The input here was a storage media file that had a single partition on it, which was running a Windows XP system on it. The first thing the tool does is to scan the storage media file, if it discovers more than a single partition, an encrypted partition or that the partition contains Volume Shadow Copies (VSS) it will ask the user for further details, eg:

$ log2timeline.py bde_windows.plaso bde_enabled_windows.dd 

The following partitions were found:
Identifier      Offset (in bytes)       Size (in bytes)
p1              1048576 (0x00100000)    350.0MiB / 367.0MB (367001600 B)
p2              368050176 (0x15f00000)  148.7GiB / 159.7GB (159671910400 B)

Please specify the identifier of the partition that should be processed.
All partitions can be defined as: "all". Note that you can abort with Ctrl^C.
p2
Found a BitLocker encrypted volume.
Supported credentials:

  0. startup_key
  1. recovery_password
  2. password
  3. skip

Note that you can abort with Ctrl^C.

Select a credential to unlock the volume: 

After finding a partition to process the tool will start the pre-processing stage, where it collects information from the storage media. That is evident by the entries like:

2015-07-16 16:54:05,368 [INFO] (MainProcess) PID:98252 <interface> [PreProcess] Set attribute: hostname to N-1A9ODN6ZXK4LQ

Here the tool detected that the hostname from this partition is: N-1A9ODN6ZXK4LQ.

After that the tool spins up several workers (the actual number differs depends on number of CPU’s on the system running the tool), a collector and a storage process.

For a better overview of what the tool is doing, please use the --status_view parameter (warning the window status view does not work very well on Windows).

$ log2timeline.py --status_view window test.plaso test.vhd 

This makes it easier to keep track on what the tool is doing at any point in time.

plaso - log2timeline version 1.3.0

Source path : /PATH/test.vhd
Source type : storage media image

Identifier  PID Status      Events      File
Collector   98490   running         
Worker_00   98484   running     1280 (108)  GZIP:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/HYU1BON0/results[1].aspx
Worker_01   98485   running     3069 (24)   TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/HYU1BON0/google[1]
Worker_02   98486   running     1040 (160)  TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/HYU1BON0/gray[1].gif
Worker_03   98487   running     2175 (8)    GZIP:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/HYU1BON0/login[1].first=1
Worker_04   98488   running     842 (148)   GZIP:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/HYU1BON0/downloadget[1].php
Worker_05   98489   running     1034 (4)    GZIP:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/HYU1BON0/CAJIGZ3H.com%2F
StorageWriter   98483   running     7646 (3063) 

The status window includes information on how many workers were started up, what their PID is, how many total events each one of them has extracted (within the parenthesis) and what was the last file they were working on extracting events from.

Another useful option to use is the --logfile. This will redirect all log messages from the tool to a file. This can be coupled with -d if you wish to get more detailed debug data.

$ log2timeline.py --status_view window --logfile test.log test.plaso test.vhd 

This combines storing all log entries to a file for easier viewing later and having the status window displaying the current status of the tool. The benefits of this is the ability to both having a better overview of what the tool is doing at any point in time as well as being able to easily review after the run if the tool encountered any errors. That can be very useful in determining if the tool failed to process an important artifact for instance.

There are also few options that can be used to prevent the tool from prompting the user to select VSS stores or partitions.

• –partition PARTITION_NUMBER: Preselects the partition number to use, eg: ---partition 2 will pick the second partition on the disk.
• –vss_stores: Selects the VSS stores to include, eg: ---vss_stores all will select all available VSS stores, or --vss_stores 1,4,5 (only first, fourth and fifth), or --vss_stores 1..3 (first three stores).
• –no_vss: Skip all VSS parsing

Triage

Sometimes you may not want to do a complete timeline that extracts events from every discovered file. To do a more targeted timelining the -f FILTER_FILE parameter can be used.

$ log2timeline.py -f filter test.plaso test.vhd 

Source path : /PATH/test.vhd
Source type : storage media image
Filter file : filter

Processing started.
...
All extraction workers completed - waiting for storage.
Processing completed.

Instead of processing the entire partition only the file paths included in the filter file will be used. Here the content is:

$ cat filter 
{sysregistry}/.+
/Users/.+/NTUSER.DAT
/Documents And Settings/.+/NTUSER.DAT

This can be verified with:

$ psort.py -a -q test.plaso "SELECT filename" | sort -u
/Documents and Settings/Default User/NTUSER.DAT
/Documents and Settings/LocalService/NTUSER.DAT
/Documents and Settings/Mr. Evil/NTUSER.DAT
/Documents and Settings/NetworkService/NTUSER.DAT
/WINDOWS/system32/config/AppEvent.Evt
/WINDOWS/system32/config/SAM
/WINDOWS/system32/config/SAM.LOG
/WINDOWS/system32/config/SECURITY
/WINDOWS/system32/config/SECURITY.LOG
/WINDOWS/system32/config/SecEvent.Evt
/WINDOWS/system32/config/SysEvent.Evt
/WINDOWS/system32/config/TempKey.LOG
/WINDOWS/system32/config/default
/WINDOWS/system32/config/default.LOG
/WINDOWS/system32/config/default.sav
/WINDOWS/system32/config/software
/WINDOWS/system32/config/software.LOG
/WINDOWS/system32/config/software.sav
/WINDOWS/system32/config/system
/WINDOWS/system32/config/system.LOG
/WINDOWS/system32/config/system.sav
/WINDOWS/system32/config/systemprofile
/WINDOWS/system32/config/userdiff
/WINDOWS/system32/config/userdiff.LOG
filename

More information about the collection filters can be found here

Running against more than a single partition

Everything following this is still not written

Here we discuss the use of --use_old_preprocess and --partition all

OTHER OPTIONS TO DISCUSS

Options:

-z TIMEZONE
--credential TYPE:DATA
--data

-d
--profile
--profiling_type


--single_process
--show_memory_usage

--workers

Using pinfo.py

pinfo is a command line tool to provide information about the contents of a plaso storage file.

The plaso storage file contains information about:

• When and how the tool was run
• Information gathered during the pre-processing stage
• Metadata about each storage container or store
• What parsers were used during the extraction phase, parameters used
• How many extracted events are in the storage file, and count of each parser
• If there are tagged events, what tag file was used, what tags have been applied and count for each one
• If analysis plugins have been run, an overview of which have been run and the content of the report

Usage

Usage of pinfo is very simple, however for full list of parameters use the -h or --help switch.

The simplest way to run the tool is to run it without any parameters:

$ pinfo.py test.plaso

--------------------------------------------------------------------------------
                Plaso Storage Information
--------------------------------------------------------------------------------
Storage file:           test.plaso
Serialization format:   json
Source processed:       N/A
Time of processing:     2015-07-16T20:39:40+00:00

Collection information:
        parser_selection = winxp
        recursive = False
        preferred_encoding = UTF-8
        os_detected = Windows
        workers = 0
        output_file = test.plaso
        method = imaged processed
        preprocess = True
        version = 1.3.0
        cmd_line = /usr/bin/log2timeline.py test.plaso test.dd
        debug = False
        runtime = multi process mode
        parsers = bencode, binary_cookies, chrome_cache, chrome_preferences, esedb, filestat, firefox_cache, java_idx, lnk, mcafee_protection, msiecf, olecf, openxml, opera_global, opera_typed_history, pe, plist, prefetch, recycle_bin_info2, skydrive_log, skydrive_log_error, sqlite, symantec_scanlog, winevt, winfirewall, winjob, winreg
        configured_zone = CST6CDT
        protobuf_size = 0

Parser counter information:
        Counter: total = 149925
        Counter: winreg/winreg_default = 87885
        Counter: filestat = 28894
        Counter: pe = 26161
        Counter: msiecf = 3156
        Counter: lnk/shell_items = 1361
        Counter: winreg/windows_services = 831
        Counter: lnk = 483
        Counter: winevt = 364
...

This produces the basic information the storage file stores. To get more verbose output, for instance to see the information collected during the pre-processing stage or content of analysis reports use the verbose switch, -v

$ pinfo.py -v test.plaso
...
Preprocessing information:
        Operating system        : Microsoft Windows XP
        Hostname                : N-1A9ODN6ZXK4LQ
        Time zone               : CST6CDT
        %ProgramFiles%          : Program Files
        %SystemRoot%            : /WINDOWS
        %WinDir%                : /WINDOWS
    Users information:
        Name                    : systemprofile
        SID                     : S-1-5-18
        Profile path            : %systemroot%\system32\config\systemprofile
        Name                    : LocalService
        SID                     : S-1-5-19
        Profile path            : %SystemDrive%\Documents and Settings\LocalService
        Name                    : NetworkService
        SID                     : S-1-5-20
        Profile path            : %SystemDrive%\Documents and Settings\NetworkService
        Name                    : Mr. Evil
        SID                     : S-1-5-21-2000478354-688789844-1708537768-1003
        Profile path            : %SystemDrive%\Documents and Settings\Mr. Evil
    Other:
        Time zone               : CST6CDT
        Operating system        : Windows
        Registry path           : /WINDOWS/system32/config
        store_range             : (1, 1)
        Code page               : cp1252

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...

If analysis plugins have been run the reports are also displayed:

Report generated from: browser_search
Generated on: 2015-07-17T02:52:07+00:00

Report text:
 == ENGINE: GoogleSearch ==
10 who am i
10 what is my ip

Same if there are any tags stored in the storage file.

Parser counter information:
        Counter: Total Tags = 146
        Counter: Application Execution = 144
        Counter: Document Printed = 2

There is also an option to compare two storage files, for instance if you run the tool against a storage media file, then later re-run the tool and you want to quickly determine if there is a difference between the two storage files (does not go into content, only counters).

$ pinfo.py --compare older_test.plaso test.plaso 

collection_information.version value mismatch 1.3.0_20150716 != 1.3.0_20150713.
counter.filestat value mismatch 49090 != 28894.
counter.total value mismatch 143960 != 123764.

This shows the comparison between two runtimes of the tool against the same test dataset, before a bug was fixed and after. There are two things that changed, the version number increased and there are a lot more filestat events in the newer storage file.

Using psort.py (Plaso Síar Og Raðar Þessu)

psort is a command line tool to post-process plaso storage files. It allows you to filter, sort and run automatic analysis on the contents of plaso storage files.

Looking for tips and tricks?

Usage

To see a list of all available parameters you can pass to psort use -h or --help.

The simplest way to run the tool is simply provide it with a storage file.

$ psort.py -w test.log test.plaso

This will use the default output module and print out to STDOUT a list of all extracted events, merging detected duplicate events. All timestamps on the output will be in UTC.

The generic options are:

$ psort.py [-a] [-o FORMAT] [-w OUTPUTFILE] [-z TIMEZONE] STORAGE_FILE FILTER

Output

To see a list of all supported output modules use the -o list switch:

$ psort.py -o list

******************************** Output Modules ********************************
4n6time_mysql : MySQL database output for the 4n6time tool.
4n6time_sqlite : Saves the data in a SQLite database, used by the tool 4n6time.
   dynamic : Dynamic selection of fields for a separated value output format.
   elastic : Saves the events into an ElasticSearch database.
      json : Saves the events into a JSON format.
 json_line : Saves the events into a JSON line format.
    l2tcsv : CSV format used by legacy log2timeline, with 17 fixed fields.
    l2ttln : Extended TLN 7 field | delimited output.
      null : An output module that doesn't output anything.
     rawpy : "raw" (or native) Python output.
timesketch : Create a Timesketch timeline.
       tln : TLN 5 field | delimited output.
--------------------------------------------------------------------------------

If you are missing any optional dependencies not all output modules may be available, which would be displayed by the -o list switch:

******************************** Output Modules ********************************
4n6time_sqlite : Saves the data in a SQLite database, used by the tool 4n6time.
   dynamic : Dynamic selection of fields for a separated value output format.
      json : Saves the events into a JSON format.
 json_line : Saves the events into a JSON line format.
    l2tcsv : CSV format used by legacy log2timeline, with 17 fixed fields.
    l2ttln : Extended TLN 7 field | delimited output.
      null : An output module that doesn't output anything.
     rawpy : "raw" (or native) Python output.
       tln : TLN 5 field | delimited output.
--------------------------------------------------------------------------------

*************************** Disabled Output Modules ****************************
4n6time_mysql : MySQL database output for the 4n6time tool.
   elastic : Saves the events into an ElasticSearch database.
timesketch : Create a Timesketch timeline.
--------------------------------------------------------------------------------

Changing Output Format

To change the output simply use the -o FORMAT for example:

$ psort.py -o l2tcsv -w test.l2tcsv test.plaso

This would use the “l2tcsv” module, or the default CSV output of the older Perl version of log2timeline.

Note that psort 1.5.0 no longer supports output to stdout.

Modify the Timezone

psort uses UTC as it’s default timezone when outputting events. This can be controlled using the -z TIMEZONE parameter.

$ psort.py -z EST5EDT test.plaso

To see a list of all supported timezones use the -z list parameter:

$ psort.py -z list

************************************ Zones *************************************
                        Timezone : UTC Offset
                  Africa/Abidjan : +00:00
                    Africa/Accra : +00:00
              Africa/Addis_Ababa : +03:00
                  Africa/Algiers : +01:00
                   Africa/Asmara : +03:00
                   Africa/Asmera : +03:00
...

Quiet and More Verbose Output

psort records the number of events it processes and how many events got filtered out due to filter settings or to duplication removals. This information is printed out at the end of each run, for example:

$ psort.py test.plaso "SELECT timestamp LIMIT 10"
...
[INFO] Output processing is done.

*********************************** Counter ************************************
            Stored Events : 143960
          Events Included : 10
               Limited By : 10

Or from a full run:

$ psort.py test.plaso
...
*********************************** Counter ************************************
            Stored Events : 143960
          Events Included : 143812
       Duplicate Removals : 23157

This output provides valuable information about how many events got filtered out by for instance the duplicate entry removals. There are many reasons why there may be duplicate entries in an output:

• A filesystem entry that has the same timestamp for MACB timestamps (or any combination of them)
• Parsing a storage media file and processing a VSS store will produce a lot of duplicate entries, for example: the exact same Event Log record.
• Metadata information extracted from a file that is stored in more than one place on the drive

If you don’t want duplicate entries to be removed it is possible to supply the flag -a or ``–include_all` to psort.

$ psort.py -a -w all_events.txt test.plaso

If you on the other hand do not want to see the overview printed at the end it is possible to silence it with the -q flag:

$ psort.py -q -w output.csv test.plaso

Automatic Analysis

plaso defines a concept called an analysis plugin. Essentially that means that you can write a plugin that gets a copy of every event that is extracted and is not filtered out to inspect and potentially extract meaning or context out of. This information can be used to create tags and attach them back to the events or to create reports.

As of now the analysis plugins are only exposed to the post-processing layer, as in exposed to psort although there are efforts underway to expose them to the extraction stage as well. That way you can use them to create tags that are immediately available in post processing.

The syntax works by using the --analysis PLUGIN syntax, for example:

$ psort.py --analysis PLUGIN_NAME ...

To get a full list of the available plugins use the --analysis list parameter:

$ psort.py --analysis list

******************************* Analysis Plugins *******************************
  browser_search : Analyze browser search entries from events. [Summary/Report
                   plugin]
chrome_extension : Convert Chrome extension IDs into names, requires Internet
                   connection. [Summary/Report plugin]
     file_hashes : A plugin for generating a list of file paths and
                   corresponding hashes. [Summary/Report plugin]
         tagging : Analysis plugin that tags events according to rules in a
                   tag file. [Summary/Report plugin]
           viper : An analysis plugin for looking up SHA256 hashes in Viper.
                   [Summary/Report plugin]
      virustotal : An analysis plugin for looking up hashes in VirusTotal.
                   [Summary/Report plugin]
windows_services : Provides a single list of for Windows services found in the
                   Registry. [Summary/Report plugin]
--------------------------------------------------------------------------------

Some of these plugins may provide additional parameters that may be required for each analysis plugin. To know which parameters are exposed use the -h flag in addition to the --analysis PLUGIN, for example:

$ psort.py --analysis virustotal -h
...
Analysis Arguments:
  --analysis PLUGIN_LIST
                        A comma separated list of analysis plugin names to be
                        loaded or "--analysis list" to see a list of available
                        plugins.
  --virustotal-api-key VIRUSTOTAL-API-KEY
                        Specify the API key for use with VirusTotal.
  --virustotal-free-rate-limit VIRUSTOTAL-RATE-LIMIT
                        Limit Virustotal requests to the default free API key
                        rate of 4 requests per minute. Set this to false if
                        you have an key for the private API.
  --windows-services-output {text,yaml}
                        Specify how the results should be displayed. Options
                        are text and yaml.
  --viper-host VIPER-HOST
                        Specify the host to query Viper on.
  --viper-protocol {http,https}
                        Protocol to use to query Viper.
  --tagging-file TAGGING_FILE
                        Specify a file to read tagging criteria from.
...

An example run could therefore be:

$ psort.py -o null --analysis tagging --tagging-file tag_windows.txt test.plaso 

What this does is:

• Uses the “null” output module, that is it does not print out any events.
• Runs the tagging analysis plugin. This analysis plugin runs through each event, compares that to the list of tags you provide to the tool and applies the appropriate tags.
• Uses the file “tag_windows.txt” as a source of all tags to apply.

The filter file that is passed on is searched for using the provided path as an absolute, relative path or relative to the data directory.

The file tag_windows.txt for instance is a file that is found inside the data directory and can thus be used without creating any file.

At the end of the run the tool will produce a summary or reports of the analysis plugins:

[INFO] All analysis plugins are now completed.
Report generated from: tagging
Generated on: 2015-07-31T17:38:32+00:00

Report text:
Tagging plugin produced 146 tags.

And in this case, since this was tagging the results of what tags were provided can be viewed using pinfo:

$ pinfo.py test.plaso
...
Parser counter information:
    Counter: Total Tags = 146
    Counter: Application Execution = 144
    Counter: Document Printed = 2
...

The tags are now included in the output:

$ psort.py -w output_tags.csv test.plaso 
$ grep "Document Printed" output_tags.csv
1999-05-15T15:39:16+00:00,Document Last Printed Time,OLECF,OLECF Summary Info,Title: Microsoft Powertoys for Windows XP  Subject: Powertoys Author: Microsoft Corporation Keywords: Powertoy Template: Intel;1033 Revision number: {1DA2A275-1387-4A40-8453-EFDF70F62811} Last saved by: InstallShield  Number of pages: 110 Number of words: 0 Number of characters: 0 Application: InstallShield® Developer 7.0 Security: 0x00000001: Password protected,olecf/olecf_summary,TSK:/WINDOWS/Downloaded Installations/Powertoys For Windows XP.msi;TSK:/WINDOWS/Installer/ac704.msi,Document Printed,1,888
...

TODO: Move this documentation to a separate analysis plugin site and include information about the rest of the plugins.

Filtering

It is possible to filter out the results psort provides using few different methods:

• If you have a timestamp of interest a time slice, where only events that occur X minutes before and after that timestamp are included
• Provide a granular filter for timestamps and/or content of various attributes
• If you’ve got a regular filter and want to include events that occurred just before and after the events that match the filter.

Time Slices

The simplest filter is the time slice, where if you’ve discovered an interesting timestamp and would like to explore what occurred just prior and after that timestamp of interest. This can be achieved using the --slice DATE parameter, for example:

$ psort.py -q --slice "2004-09-20 16:13:02" test.plaso 
datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index
2004-09-20T16:13:02+00:00,Expiration Time,WEBHIST,MSIE Cache File URL record,Location: Visited: Mr. Evil@http://www.microsoft.com/windows/ie/getosver/javaxp.asp Number of hits: 2 Cached file size: 0,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/History/History.IE5/index.dat,-,1,143661
2004-09-20T16:13:12+00:00,Expiration Time,WEBHIST,MSIE Cache File URL record,Location: Visited: Mr. Evil@http://fosi.ural.net Number of hits: 1 Cached file size: 0,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/History/History.IE5/index.dat,-,1,143663
2004-09-20T16:13:12+00:00,Expiration Time,WEBHIST,MSIE Cache File URL record,Location: :2004082520040826: Mr. Evil@http://fosi.ural.net Number of hits: 1 Cached file size: 0,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/History/History.IE5/MSHist012004082520040826/index.dat,-,1,143662

By default the tool chooses 5 minutes prior and after the timestamp in question. To configure that use the --slice_size SLICE_SIZE parameter.

$ psort.py -q --slice "2004-09-20 16:13:02" --slice_size 100 test.plaso
datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index
2004-09-20T15:18:38+00:00,Expiration Time,WEBHIST,MSIE Cache File URL record,Location: :2004082520040826: Mr. Evil@http://www.yahoo.com Number of hits: 1 Cached file size: 0,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/History/History.IE5/MSHist012004082520040826/index.dat,-,1,143624
2004-09-20T15:18:38+00:00,Expiration Time,WEBHIST,MSIE Cache File URL record,Location: Visited: Mr. Evil@http://www.yahoo.com Number of hits: 1 Cached file size: 0,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/History/History.IE5/index.dat,-,1,143625
2004-09-20T15:18:54+00:00,Expiration Time,WEBHIST,MSIE Cache File URL record,Location: Visited: Mr. Evil@http://www.yahoo.com/_ylh=X3oDMTB1M2EzYWFoBF9TAzI3MTYxNDkEdGVzdAMwBHRtcGwDaWUtYmV0YQ--/s/208739 Number of hits: 1 Cached file size: 0,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/History/History.IE5/index.dat,-,1,143626
2004-09-20T15:19:00+00:00,Expiration Time,WEBHIST,MSIE Cache File URL record,Location: :2004082520040826: Mr. Evil@http://story.news.yahoo.com/news?tmpl=story&cid=564&ncid=564&e=1&u=/nm/20040825/ts_nm/iraq_usa_beheading_dc Number of hits: 1 Cached file size: 0,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/History/History.IE5/MSHist012004082520040826/index.dat,-,1,143627
...

Filters

A more comprehensive discussions of the filters can be read here.

For psort the filters are included at the end of the command line arguments, for example:

$ psort.py -q test.plaso FILTER

An example filter that filters out all events within a certain time range:

$ psort.py -q  test.plaso "date < '2004-09-20 16:20:00' and date > '2004-09-20 16:10:00'"
datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index
2004-09-20T16:13:02+00:00,Expiration Time,WEBHIST,MSIE Cache File URL record,Location: Visited: Mr. Evil@http://www.microsoft.com/windows/ie/getosver/javaxp.asp Number of hits: 2 Cached file size: 0,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/History/History.IE5/index.dat,-,1,143661
...

Filter and Include Surrounding Events

If you have something interesting that you want to filter but you also want to include some context surrounding those hits you can run the tool with the flag --slicer in addition to the filter.

An example:

$ psort.py -q test.plaso "cached_file_size is 43"
[INFO] Data files will be loaded from /usr/share/plaso by default.
datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index
1994-04-15T00:00:00+00:00,Content Modification Time,WEBHIST,MSIE Cache File URL record,Location: http://us.i1.yimg.com/us.yimg.com/i/us/hdr/el/uh_bk.gif Number of hits: 5 Cached file: PTV39NDQ\uh_bk[1].gif Cached file size: 43 HTTP headers: HTTP/1.0 200 OK - Content-Type: image/gif - Content-Length: 43 -  - ~U:mr. evil - ,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/index.dat,-,1,370
...

Here the filter cached_file_size is 43``` is applied to the output searching for all IE cache files that are 43 bytes in size. If we wanted to gather some context surrounding these events we can supply the–slicer`` flag, for example:

$ psort.py --slicer -q test.plaso "cached_file_size is 43"
datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index
...
2001-02-23T03:15:06+00:00,Content Modification Time,WEBHIST,MSIE Cache File URL record,Location: http://www.2600.org/images/masthead2.jpg Number of hits: 1 Cached file: JIRVJY9X\masthead2[1].jpg Cached file size: 2558 HTTP headers: HTTP/1.0 200 OK - ETag: "565062-9fe-3a95d5ba" - Content-Length: 2558 - Content-Type: image/jpeg -  - ~U:mr. evil - ,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/index.dat,-,1,1413
2001-02-23T03:15:21+00:00,Content Modification Time,WEBHIST,MSIE Cache File URL record,Location: http://www.2600.org/images/sch23.gif Number of hits: 1 Cached file: PN0J7OQM\sch23[1].gif Cached file size: 11739 HTTP headers: HTTP/1.1 200 OK - ETag: "565064-2ddb-3a95d5c9" - Content-Length: 11739 - Content-Type: image/gif -  - ~U:mr. evil - ,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/index.dat,-,1,1414
2001-02-24T18:46:19+00:00,Content Modification Time,WEBHIST,MSIE Cache File URL record,Location: http://www.2600.org/images/1.gif Number of hits: 1 Cached file: HYU1BON0\1[1].gif Cached file size: 43 HTTP headers: HTTP/1.1 200 OK - ETag: "565065-2b-3a98017b" - Content-Length: 43 - Content-Type: image/gif -  - ~U:mr. evil - ,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/index.dat,-,1,1415
2001-02-24T20:51:57+00:00,Content Modification Time,WEBHIST,MSIE Cache File URL record,Location: http://www.2600.org/images/storeadmed.jpg Number of hits: 1 Cached file: HYU1BON0\storeadmed[1].jpg Cached file size: 4323 HTTP headers: HTTP/1.0 200 OK - ETag: "565066-10e3-3a981eed" - Content-Length: 4323 - Content-Type: image/jpeg -  - ~U:mr. evil - ,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/index.dat,-,1,1416
2001-02-24T22:19:38+00:00,Content Modification Time,WEBHIST,MSIE Cache File URL record,Location: http://www.2600.org/images/oldmasthead.gif Number of hits: 1 Cached file: PN0J7OQM\oldmasthead[1].gif Cached file size: 26273 HTTP headers: HTTP/1.1 200 OK - ETag: "565067-66a1-3a98337a" - Content-Length: 26273 - Content-Type: image/gif -  - ~U:mr. evil - ,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/index.dat,-,1,1417
2001-02-26T05:16:09+00:00,Content Modification Time,WEBHIST,MSIE Cache File URL record,Location: http://www.2600.org/images/725274831586.gif Number of hits: 1 Cached file: PN0J7OQM\725274831586[1].gif Cached file size: 1568 HTTP headers: HTTP/1.1 200 OK - ETag: "565068-620-3a99e699" - Content-Length: 1568 - Content-Type: image/gif -  - ~U:mr. evil - ,msiecf,TSK:/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files/Content.IE5/index.dat,-,1,1418
...

By default the tool will include five events before and after each filter hit. This can be controlled using the --slice_size.

$ psort.py --slice_size 15 --slicer -q test.plaso "cached_file_size is 43"

Other options

The data folder was previously mentioned. The location of this folder is automatically determined, depending on how the tool got installed on the system and the OS platform. This data path is used by psort to find the location of filter files, Event Log message database, etc.

This data path can be changed from the default location, for instance if you have your own winevt-rc.db database or set of filter files. This can be achieved using the --data PATH parameter, for example:

$ psort.py --data /where/my/data/is/stored test.plaso

Debug

If during the runtime of psort the tool encounters an unexpected exception the debug mode can be used. To invoke debug mode use the -d parameter. What that will do is that instead of exiting the tool when an unexpected exception is raised it prints the traceback of the exception and drops into a Python debug shell. This can be used to debug the problem and fix the issue.

How do I?

How do I filter on tags?

psort.py -w timeline.log timeline.plaso "tag contains 'browser_search'"

Note that each tool can be invoked with the -h or --help command line flag to display basic usage and command line option information.

image_export

image_export is a command line tool to export file content from a storage media image or device based on various filter criteria, such as extension names, filter paths, file format signature identifiers, file creation date and time ranges, etc.

log2timeline

log2timeline is a command line tool to extract events from individual files, recursing a directory (e.g. mount point) or storage media image or device. log2timeline creates a plaso storage file which can be analyzed with the pinfo and psort tools.

The plaso storage file contains the extracted events and various metadata about the collection process alongside information collected from the source data. It may also contain information about tags applied to events and reports from analysis plugins.

pinfo

pinfo is a command line tool to provide information about the contents of a plaso storage file.

preg

preg is a command line tool to analyze Windows Registry files. It allows you to plaso’s Windows Registry plugins on individual Windows Registry files and interactively analyze the results. For more information see: Using preg

psort

psort is a command line tool to post-process plaso storage files. It allows you to filter, sort and run automatic analysis on the contents of plaso storage files.

Creating a timeline

Using psteal

The quickest way to generate a timeline with Plaso is using the “psteal” frontend. A command line like so: psteal.py --source ~/cases/greendale/registrar.dd -o l2tcsv -w /tmp/registrar.csv will produce a csv file containing all the events from an image, with some sensible defaults.

Troubleshooting

This page contains instructions that can be used to assist you in debugging potential issues with the plaso and its dependencies.

Quick list

1. Check the commit history and issue tracker if the bug has already been fixed;
2. If you are running the development release make sure plaso and dependencies are up to date, see: Developers Guide
3. If you are experiencing an issue that cannot directly be attributed to some broken code e.g. the test are getting killed, check your system logs it might be a problem with resources available to plaso;
4. Try to isolate the error, see below.

If everything fails create a new issue on the issue tracker. Please provide as much detailed information as possible, keep in mind that:

• we cannot fix errors based on vague descriptions;
• we cannot look into your thoughts or on your systems;
• we cannot easily isolate errors if you keep changing your test environment.

Hence please provide us with the following details:

• What steps will reproduce the problem? What output did you expect? What do you see instead?
• What version of plaso/log2timeline are you using? (use log2timeline.py -v to see)
• On what operating system and architecture? (be specific, as in Mac OS X Mountain Lion, 10.8.2 for instance or 64-bit Windows 7)
• Are you processing a storage media image, if so which format, a directory or on an individual file?
• Were you able to isolate the error to a specific file? Is it possible to share the file with the developer?
• Any additional information that could be of use e.g. build logs, error logs, debug logs, etc.

Note that the github issue tracker uses markdown and thus please escape blocks of error output accordingly.

Also see the sections below on how to troubleshoot issues of a specific nature.

Isolating errors

The most important part of troubleshooting is isolating the error.

Can you run the tests successfully?

$ python run_tests.py
...
----------------------------------------------------------------------
Ran 585 tests in 66.530s

OK

If an error occurs when processing a storage media image try to run with the storage image media file and/or the file system directly mounted. Mounting the storage image media file will bypass libraries (modules) supporting the storage image media format. Running source_analyzer.py can help pinpointing the issue, e.g.

PYTHONPATH=. python examples/source_analyzer.py --no-auto-recurse

Try:

• logging to a log file log2timeline.py --log-file=log2timeline.log ...;
• running in debug mode log2timeline.py --debug ...;
• running in single process mode this will bypass any issues with multi processing log2timeline.py --single-process ...;
• mounting the file system as well to bypass libraries (modules) supporting the file system, e.g. the SleuthKit and pytsk;
• running in single process and debug mode, see section below.

Producing debug logs

To produce debugging logs, run log2timeline like so: log2timeline.py --log-file=log2timeline_problem.log.gz --debug. This will create multiple, gzip-compressed log files. There will be one called log2timeline_problem.log.gz containing logs from the main log2timeline process, and one log file for each worker process.

Note that the .gz file suffix is important, as it triggers Plaso to compress the log output. In an uncompressed form, the logs are very large. The compressed logs can be reviewed with unzip tools like zless and zgrep.

Import errors

It sometimes happen that the tests fail with an import error e.g.

ImportError: Failed to import test module:
plaso.parsers.winreg_plugins.shutdown_test
Traceback (most recent call last):
  File "/usr/lib64/python2.7/unittest/loader.py", line 254, in _find_tests
    module = self._get_module_from_name(name)
  File "/usr/lib64/python2.7/unittest/loader.py", line 232, in
_get_module_from_name
    __import__(name)
  File "./plaso/parsers/__init__.py", line 4, in <module>
    from plaso.parsers import asl
ImportError: cannot import name asl

This does not necessarily mean that the code cannot find the asl module. The import error can mask an underlying issue. Try running the following commands in a Python shell:

$ python
import sys
sys.path.insert(0, u'.')
import plaso

It also sometimes means that you have multiple versions of plaso installed on your system and Python tries to import for the wrong one.

Crashes, hangs and tracebacks

In the context of plaso crashes and tracebacks have different meanings:

• crash; an error that causes an abrupt termination of the program you were running e.g. a segfault (SIGSEGV)
• traceback; the back trace of an error that was caught by an exception handler that can cause a termination of the program you were running

A worker segfault-ing

Since plaso relies on several compiled dependencies it is possible that a worker segfault (SIGSEGV).

As part of the 1.3 pre-release bug hunting a SIGSEGV signal handler was added however this process turned out, as expected, unreliable. However it added an interesting side effect that is very useful for debugging. If the SIGSEGV signal handler is enable the worker process typically remains in the “running” state but stops producing event object. What happens under the hood is that the SIGSEGV signal is caught but the worker is unable to cleanly terminate. Because of this “frozen” state of the worker it is very easy to attach a debugger e.g. gdb python -p PID.

A kill -11 PID however seems to be cleanly handled by the SIGSEGV signal handler and puts the worker into “error” status.

A worker gives a killed status

This typically indicates that the worker was killed (SIGKILL) likely by an external process e.g the Out Of Memory (OOM) killer.

Your system logs might indicate why the worker was killed.

Which processes are running

The following command help you determine which plaso processes are running on your system:

Linux:

top -p `ps -ef | grep log2timeline.py | grep python | awk '{ print $2 }' | tr '\n' ',' | sed 's/,$//'`

Mac OS X:

ps aux | grep log2timeline.py | grep python | awk '{print $2}' | tr '\n' ',' | sed 's/,$//'

Analyzing crashes with single process and debug mode

In single process and debug mode log2timeline.py --debug --single-process ... log2timeline will run a Python debug shell (pdb) when an uncaught Python exception is raised.

Use u to go up one level and d to go down one level .

Print the attributes of the current object you are looking for.

!self.__dict__

Print the current argument stack to see what arguments are available to you.

args

Note that inside pdb you can run any Python commands including loading new libraries e.g. for troubleshooting. You can prepend commands with an exclamation mark (!) to indicate that you want to run a Python command as an opposed to a debug shell one.

Analyzing crashes with gdb

Once you have isolated the file that causes the crash and you cannot share the file you can generate a back trace that can help us fix the error.

First make sure you have the debug symbols installed.

Then run the plaso as a single process with gdb:

gdb --ex r --args log2timeline.py --single-process -d /tmp/test.dump /tmp/file_that_crashes_the_tool

To generate a back trace:

bt

Note that often the first 10 lines of the back trace are sufficient information.

An alternative approach is to attach a debugger to it once the program is running:

gdb python -p PID

Where PID is the process identifier of the program. Once the debugger is attached continue running:

c

Wait until the crash occurs and generate a back trace.

Also see: DebuggingWithGdb, gdb Support

High memory usage

Plaso consists of various components. It can happen that one of these components uses a lot of memory or even leaks memory. In these cases it is important to isolate the error, see before, to track down what the possible culprit is. Also see: Profiling memory usage

Also see

Troubleshooting MacOS

How do I remove a plaso installation

If you installed plaso via the installer script in the .dmg, the Mac OS X package manager can be used to remove a plaso installation. For more information about using the Mac OS X package manager see:

• http://superuser.com/questions/36567/how-do-i-uninstall-any-apple-pkg-package-file

pyparsing errors

Mac OS-X bundles its own version of pyparsing that is older than the version required by Plaso. Fix this by using the special wrapper scripts (log2timeline.sh, et. al.), or if you don’t want to do that, manipulate PYTHONPATH so that the newer version is loaded. This is detailed on the Mac OS-X development page: Development-release-Mac-OS-X

ImportError: cannot import name dependencies

There can be numerous reasons for imports to fail on Mac OS X here we describe some of the more common ones encountered:

• clashing versions; you have multiple clashing versions installed on your system check the Python site-packages paths such as: /Library/Python/2.7/site-packages/, /usr/local/lib/python2.7/site-packages/.
• you used pip without virtualenv and have messed up your site-packages

You used pip without virtualenv and have messed up your site-packages

The use of pip without virtualenv on Mac OS X is strongly discouraged, unless you are very familiar with these tools. You might have already messed up your site-packages beyond a state of a timely repair.

Troubleshooting on Ubuntu Linux

Origin of an installed package

To determine the origin of an installed package

apt-cache showpkg <package name>

Troubleshooting on Windows

Plaso keeps telling me SQLite3 is too old

The Python installation bundles its own version of SQLite3 that is older than the version required by Plaso. Fix this by

• Removing the old version of SQLite3:

C:\Python27\DLL\sqlite3.dll
C:\Python27\DLL\_sqlite3.pyd
C:\Python27\Lib\sqlite3\

• Installing a newer version of SQLite3, if not already installed.

Also see: Dependencies-Windows.md#pysqlite

Not a valid Win32 application

When I load one of the Python modules I get:

ImportError: DLL load failed: %1 is not a valid Win32 application.

This means your Python interpreter (on Windows) cannot load a python module since the module is not a valid Win32 DLL file. One cause of this could be mismatch between a 64-bit Python and 32-bit build module (or vice versa).

Unable to find an entry point in DLL

When I try to import one of the Python-bindings or run the PyInstaller build I get:

ImportError: DLL load failed: The specified procedure could not be found. 

Make sure the DLL is built for the right WINAPI version, check the value of WINVER of your build.

setup.py and build errors

Cannot open input file ‘kernel32.lib’

When I try to build one of the Python-bindings in 64-bit with Microsoft Visual Studio 2010 express I get:

fatal error LNK1181: cannot open input file 'kernel32.lib'

Make sure “Platform Toolset” is set to: “Windows7.1SDK”

Unable to find vcvarsall.bat

When running setup.py I get:

error: Unable to find vcvarsall.bat

Make sure the environment variable VS90COMNTOOLS is set, e.g. for Visual Studio 2010:

set VS90COMNTOOLS=%VS100COMNTOOLS%

Or set it to a path:

set VS90COMNTOOLS="C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\"

ValueError: [u’path’] when running setup.py

When running setup.py I get:

ValueError: [u'path']

Try running the command from the “Windows SDK 7.1” or “Visual Studio” Command Prompt.

I’m getting linker “unresolved externals” errors when running setup.py

If you’re building a 64-bit version of a python binding Visual Studio 2010 express make sure to use “Windows SDK 7.1 Command Prompt”.

Collection Filters

This page is still being worked on.

n.b. collections filters will soon be replaced by artifacts

The idea behind collection filters is simple. If the user of the tool knows beforehand where files of potential interest lie there is no need to go through each and ever file in the filesystem. A filter file can be created that describes the location of each file the collector should look for to include in the parsing and no other file should be included.

The filter file itself is a simple entry per line where each line in the filter file describes a single location to include. The format is essentially:

FIELD 1 | SEPARATOR | FIELD 2 | SEPARATOR | FIELD 3 | …

The separator is a forward slash ‘/’ and each field represents a directory up until the last one, which denotes the files to include. A field can be one of the following three options:

• A string representing the exact directory name, case insensitive.
• A regular expression denoting the name of the directory or file.
• A name of an attribute collected during the preprocessing stage, denoted by a curly bracket {attribute_name}.

This can lead to a line similar to this:

{sysregistry}/.+evt

Or

/(Users|Documents And Settings)/.+/AppData/Roaming/Mozilla/Firefox/Profiles/.+/places.sqlite

The first filter line uses an attribute called “sysregistry” that is discovered during the preprocessing stage and denotes the folder location that stores the system registry files. It will then include all files that end with the three letters “evt” in the collection.

The second line however uses both regular expressions and regular strings to denote the location of Firefox history files.

Each one of these files may produce more than one directory, and each directory can contain more than a single file, resulting in a single line in the filter file perhaps discovering several files in different directories on the system.

These files can be used to limit the collection of data from a machine and target the parsing, thus both reducing the amount of irrelevant events in the timeline and reduce the time it takes to parse an image using the tool.

An important caveat is that collection filters do not offer the option of blacklisting, that is to say every file in a folder except files that match pattern foo. Another important caveat is that there is no support for recursion, which means that something like ```/Users/.+/AppData/**`` or something like that would not search the AppData folder and every subfolder under that. These feature requests are being tracked here

Event Filters

Event filters can be used both during the extraction phase and in the post-processing stage of the tool.

Tools that have event filter support:

The generic documentation of the filter language can be found here

The filters are evoked differently depending on the tool, consult each tool’s documentation about how that is achieved.

When the filters were originally introduced a blog post was made explaining them. Since this blog post was introduced there have been some changes made to the filtering that make it a bit out-of-date, yet a good resource to read over.

How do the filters work

A query is constructed in the following way:

EXPRESSION BOOLEAN_OPERATOR EXPRESSION

Where each expression is:

ATTRIBUTE [not] OPERATOR [not] VALUE

Each expression can also be a collection of binary expressions and operators enclosed in a parenthesis.

EXPRESSION BOOLEAN_OPERATOR (EXPRESSION BINARY_OPERATOR EXPRESSION)

The following boolean operators are supported:

• and
• or
• && (and)
• || (or)

The following keywords are available:

Operator | Notes —- | —- equals | Determine if the attribute is equal to the value, meaning that both parts need to be exactly the same in order for this to match. is | Same as equals. == | Same as equals. != | Negative matching of equals, that is it checks if it is not equal to the value (same as “not is”) contains | If the value is a string it checks if the lowercase version of the value is in the lowercase value of the attribute. That is this is a case insensitive substring match. > | Checks if the value is greater than the attribute. If the attribute is date or timestamp and the value is an integer it compares against the timestamp attribute. If the attribute is date and the value is a string it will convert the string value to an integer and then make the comparison. >= | Checks if the value is greater or equal than the attribute. If the attribute is date or timestamp the same behavior as in “>” is observed. < | Checks if the value is less than the attribute. If the attribute is date or timestamp the same checks are made as in “>”, except the comparison is to whether or not the value is less or equal than the supplied date. <= | Checks if the value is less or equal than the value. If the attribute is timestamp or date same behavior as in “<” is applied. inset | Checks if the values are all in the set of attributes. regexp | A case sensitive regular expression is compiled from the value and it is compared against the attribute. The regular expression is somewhat limited, the only escaped strings that are supported are: ‘“rnbt.ws iregexp | Same as the regexp above, except the regular expression is compiled as case-insensitive.

And for negative matching the keyword “not” in front of any of these keywords is also supported. That is to say if each of these operators is preceded with the keyword “not” a negative matching is performed.

Example Queries

This means that a query like this can be constructed:

parser is 'syslog' and message contains 'root'

What this filter does is to filter out all events with the following logic:

• parser attribute equals to “syslog”, which means that it will only contain events that are parsed by the syslog parser (remember this is an exact match, case sensitive).
• message attribute contains the word ‘root’ (case-insensitive search) somewhere in it.

One thing to keep in mind is that although you can use the filters to select which parsers are chosen during collection/processing phase (that is while running log2timeline) it is highly suggested to rather use the --parsers parameter. The reason for that is that during the extraction phase the filters work post extraction. That is each parser will be loaded, used to process a file and then extract all the relevant events. Just before being sent to the storage layer filters will be applied and events dropped. Filters during extraction phase should therefore rather be to reduce common false positives or noise than to eliminate a particular parser from being run.

Another version of this filter query would be:

parser contains 'sysl' and message contains 'root'

The difference here is the case in-sensitive matching against the parser name, and instead of being an exact match it’s a substring match. The parser name here refers to the classes NAME attribute, which is always lowercase and often contains the name of the source. Use “log2timeline –info” to see the name of all the available parsers. Or use the pinfo.py test.plaso to see a list of all parsers that were used to produce the output in the storage file.

It is worth noting here that the message attribute is not stored in the EventObject. That is a calculated attribute based on the definition of a formatter. That means that for each evaluation the message string is calculated before it is being evaluated against the condition, thus most likely slowing down the filtering quite a bit. If you can avoid the use of the “message” attribute and rather construct the filter to use only attributes that are stored inside the EventObject the filter query runs faster.

parser is not 'syslog' and source_short is 'LOG'

• The parser attribute is NOT ‘syslog’, which means this triggers on all events that do not come from the syslog parser.
• source_short is LOG means that the source_short equals to LOG.
• Combined this means that the filter will trigger on all events that have the source_short set to LOG and are not produced by the syslog parser.

source_short is 'LOG' AND (timestamp_desc CONTAINS 'written' OR timestamp_desc CONTAINS 'visited')

• The source_short is LOG.
• The timestamp description contains either the word “written” or “visited”.

parser contains 'syslog' AND (date > '2012-12-04' AND date < '2015-01-01')

• The parser name contains the word “syslog”, which is a case insensitive match against the word.
• The time of the event is between 2012-12-04 and 2015-01-01.

source_long is 'Made up Source' AND message iregexp 'bad, bad thing [\sa-zA-Z\.]+ evil'

• The source_long is exactly “Made up Source” (remember exactly, so we are talking about case sensitive matching).
• message attribute has a text that matches the following regular case-insensitive regular expression: “bad, bad thing [\sa-zA-Z.]+ evil”.

parser contains 'firefox' AND pathspec.vss_store_number > 0

• The parser is “FirefoxHistoryParser” (contains the word “firefox”).
• This event is extracted from VSS instead of from a regular file.

Analysis Plugins

Nsrlsvr Analysis Plugin

Notes on how to use the nsrlsvr analysis plugin.

Setting up nsrlsvr

The source of nsrlsvr can be found here

Follow the installation instructions.

Running nsrlsvr

To run nsrlsvr:

nsrlsvr -f /fullpath/NSRLFile.txt

To test if nsrlsvr is working you’ll need nsrllookup

To run nsrllookup against your instance of nsrlsvr:

echo $MD5 | nsrllookup -s localhost -p 9120 -k 

Which will return $MD5 if present in NSRLFile.txt and nothing when $MD5 does not present.

Running plaso

First run log2timeline to calculate the hashes:

log2timeline.py --hashers md5 timeline.plaso image.raw

Make sure to enable hashers supported by nsrlsvr, which is md5 in this example.

Next run psort to tag events:

psort.py --analysis nsrlsvr --nsrlsvr-hash md5 --nsrlsvr-host localhost --nsrlsvr-port 9120 -o null timeline.plaso

Tagging Analysis Plugin

Notes on how to use the tagging analysis plugin.

Creating the tagging file

A tagging-file.txt is an UTF-8 encoded text file that contains tagging definitions.

A tagging definition consists of:

TAG LABEL
  EVENT TAGGING EXPRESSION

For example:

task_schedule
  data_type is 'windows:evt:record' and source_name is 'Security' and event_identifier is 602
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4698

Running plaso

First run log2timeline to extract events:

log2timeline.py timeline.plaso image.raw

Next run psort to tag events:

psort.py --analysis tagging --tagging-file tagging-file.txt timeline.plaso

Also see

Virustotal Analysis Plugin

Notes on how to use the viper analysis plugin.

Setting up Viper

The Viper project maintains installation instructions here: https://viper-framework.readthedocs.io/en/latest/installation/index.html

Running plaso

First run log2timeline to extract events:

log2timeline.py timeline.plaso image.raw

Note that hashing must be turned on for the viper plugin to work correctly. This is default setting for log2timeline.py.

Next run psort to tag events, then output them:

psort.py --analysis viper -o timeline_with_viper_tags.csv timeline.plaso

If a file processed by Plaso is present in the viper instance, it will be tagged with viper_present. If it’s part of a project in viper, it will also be tagged with viper_project_$PROJECTNAME.

Virustotal analysis plugin

Notes on how to use the virustotal analysis plugin.

Getting an API key

The virustotal analysis uses the public Virustotal API, and requires an API key to operate. The process for obtaining an API key is here.

Running plaso

First run log2timeline to extract events:

log2timeline.py timeline.plaso image.raw

Note that hashing must be turned on for the virustotal plugin to work correctly. This is default setting for log2timeline.py.

Next run psort to tag events:

psort.py --analysis virustotal --virustotal-api-key $API_KEY -o timeline_with_virustotal_tags.csv timeline.plaso

If a file processed by Plaso is present in virustotal and has been detected as malicious by one more detection engines, it will be tagged with virustotal_detections_$NUMBER_OF_DETECTIONS. If the file is in Virustotal, but it hasn’t been fully analyzed yet, it will be tagged with virustotal_analysis_pending. If the file is in Virustotal, but has not been detected as malicious, it will be tagged with virustotal_no_detections. If the file isn’t in Virustotal, it will be tagged as virustotal_not_present.

Tips and Tricks

This is a collection of few tips and tricks that can be used with plaso

analyzeMFT and plaso

Plaso can parse the output of analyzeMFT in bodyfile (or mactime) output.

Run analyzeMFT as following:

$ analyzeMFT.py -b output.bodyfile -f input.MFT
$ log2timeline.py test.plaso output.bodyfile

The mactime parser of plaso will parse the bodyfile.

Also see: Mactime

Split the output of psort

psort itself does not provide you the option of splitting the file into chunks, however there are other ways to achieve that, such as using the standard Unix tool split, eg:

$ psort.py test.plaso | split -b 10m - split_output_

This will leave you with the following files:

• split_output_aa
• split_output_ab
• split_output_ac
• split_output_ad
• …

And so on… the size can be controlled by the ``-b``` parameter of the split command.

Switching from Log2Timeline Perl (Legacy) to plaso

This is a site that should contain information for those that are used to the 0.X branch of log2timeline, also known as Log2Timeline Perl or Log2Timeline legacy.

The syntax has changed somewhat from the older version, the largest user facing differences may be:

• Output of the tool is no longer controllable through the log2timeline front-end (there is only one storage mechanism and that is binary). The user needs to run psort on the output to produce a human-readable content (with l2t_csv as the default output).
• Raw image files can be parsed directly, so mounting the images is no longer required (not encouraged).
• Parser names have changed (number of new parsers yet some that have not yet been ported).
• Parameters have changed considerably and options are different, so please read this page.
• The post-processing tool is no longer called l2t_process, it is now named psort.
• The name plaso can come up in the discussion, that is the name of the new backend (as an opposed to Log2Timeline which is the old Perl backend). Hence plaso refers to the backend, log2timeline to the CLI based front-end of the tool. There are other front-ends to the tool though, for instance timesketch and 4n6time.

Let’s go over the old and new method of collecting a timeline from a simple image file.

Old method

First of all we needed to mount the image. Something like this:

sudo mount -t ntfs-3g -o ro,nodev,noexec,show_sys_files,streams_interface=windows,loop,offset=32256 image.dd /mnt/nfts

Then we needed to run log2timeline against the mount point. You needed to define the timezone of the suspect image, which could get overwritten if a correct value was found and you needed to define which parsers to use. The sample run is:

cd /mnt/ntfs
log2timeline -r -p -z CST6CDT -f win7 . > /cases/timeline/myhost.csv 2> /cases/timeline/myhost.log

This would pick all the parsers defined in the “win7” list and run those against every file found in the mount point. A list of all available parsers and lists could be produced by running:

log2timeline -f list

As noted earlier, the above approach would produce a large “kitchen-sink” approach timeline that is not sorted. To sort that one (no filtering):

cd /cases/timeline
l2t_process.py -b myhost.csv > myhost.sorted.csv

Now we would have a large sorted CSV file ready to analyze.

Limiting the output to a specific date could be achieved using methods like:

l2t_process.py -b myhost.csv 10-10-2012..10-11-2012

However, you could not limit the output of the timeline to a more narrow timeframe than a single day, for that you needed grep (or some other tools of choice).

l2t_process.py -b myhost.csv 10-10-2012..10-11-2012 | grep ",1[8-9]:[0-5][0-9]:[0-9][0-9],"

And filtering based on content was constrained to few options:

• Use a keyword file that contained case-insensitive potentially regular expressions and supply that as a white- or blacklist.
• Use a YARA rule that matched against the description_long field.
• Use grep/sed/awk.

The problem with most of the l2t_process filtering is that it was either done on the whole line or against the description_long field. There was no easy way to filter against a more specific attribute of the event.

New method

Since the new version works directly on a raw image file there is no need to mount the image first (and mounting them is actually highly discouraged), the timeline can be created in a single step:

log2timeline.py /cases/timeline/myhost.plaso image.dd

The tool will detect whether or not the input is a file, directory or a disk image/partition. If the tool requires additional information, such as when VSS stores are detected or more than a single partition in the volume the tool will ask for additional details. An example of that:

The following Volume Shadow Snapshots (VSS) were found:
Identifier      VSS store identifier                    Creation Time
vss1            23b509aa-3499-11e3-be88-24fd52566ede    2013-10-16T13:18:01.685825+00:00
vss2            8dfc93b3-376f-11e3-be88-24fd52566ede    2013-10-18T00:28:29.120593+00:00
vss3            dc8ffcf4-3a6b-11e3-be8a-24fd52566ede    2013-10-21T19:24:50.879381+00:00

Please specify the identifier(s) of the VSS that should be processed:
Note that a range of stores can be defined as: 3..5. Multiple stores can
be defined as: 1,3,5 (a list of comma separated values). Ranges and lists can
also be combined as: 1,3..5. The first store is 1. If no stores are specified
none will be processed. You can abort with Ctrl^C.

The options can also be supplied on the command line, -o 63 for sector offset into the disk image, or --vss_stores '1,2' for defining the VSS stores to parse, or --no-vss or -vss-stores all for processing all VSS stores.

This can also be achieved without knowing the offset into the disk image.

log2timeline.py --partition 2 /cases/timeline/myhost.dump image.dd

First of all there is quite a difference in the number of parameters, let’s go slightly over them:

• There is no -r for recursive, when the tool is run against an image or a directory recursive is automatically assumed, run it against a single file and it recursion is not turned on.
• There is no need to supply the tool with the -p (preprocessing) when run against an image, that is automatically turned on.
• The -z CST6CDT is not used here. The tool does automatically pick up the timezone and use that. However in the case the timezone is not identified the option is still possible and in fact if not provided uses UTC as the timezone.
• You may have noticed there is no -f list parameter used. The notion of selecting filters is now removed and is done automatically. The way the tool now works is that it tries to “guess” the OS and select the appropriate parsers based on that selection. The categories that are available can be found here or by issuing log2timeline.py --info. If you want to overwrite the automatic selection of parsers you can define them using the --parsers parameter.
• You have to supply the tool with the parameter to define where to save the output (can no longer just output to STDOUT and pipe it to a file).

The equivalent call of the old tool of -f list can now be found using --info. That will print out all available parsers and plugins in the tool. One thing to take note of is the different concepts of either plugins or parsers. In the old tool there was just the notion of a parser, which purpose it was to parse a single file/artifact. However plaso introduces both plugins and parsers, and there is a distinction between the two. The parser understands and parses file formats whereas a plugin understands data inside file formats. So in the case of the Windows Registry the parser understands the file format of the registry and parses that, but it’s the purpose of a plugin to read the actual key content and produce meaningful data of it. The same goes with SQLite databases, the parser understands how to read SQLite databases while the plugins understand the data in them, an example of a SQLite plugin is the Chrome History plugin, or the Firefox History plugin. Both are SQLite databases so the use the same parser, but the data stored in them is different, thus we need a plugin for that.

To see the list of presets that are available use the --info parameter. The old tool allowed you to indicate which presets you wanted using the -f parameter. In the new version this same functionality is exposed as the --parsers parameter. The difference now is that now you can supply globs or patterns to match parser names (since they are longer than in the previous version). Example usage of this parameter is:

log2timeline.py --parsers "win7" /cases/timeline/myhost.dump image.dd
log2timeline.py --parsers "win7,-winreg" /cases/timeline/myhost.dump image.dd
log2timeline.py --parsers "winreg,winevt,winevtx" /cases/timeline/myhost.dump image.dd

There is another difference, the old tool used l2t_csv as the default output, which could be configured using the -o parameter of log2timeline. This output was all saved in a single file that was unsorted, which meant that a post-processing tool called l2t_process needed to be run to sort the output and remove duplicate entries before analysis started (you could however immediately start to grep the output).

The new version does not allow you to control the output (ATM, that support will be added into future versions), there is only one available output and that is the plaso storage file. That output is a ZIP container that stores binary files that represent each event. This has many benefits over the older format, since first of all the data is compressed, saving disk space, and it can store metadata about the runtime of the tool, information gathered during the parsing and other useful information that could not be stored in the older format. The data is also stored semi sorted (several smaller sorted files), which makes sorting easier (and less strenuous on memory), and finally the data is stored in a more structured format making filtering considerably easier and more flexible.

The downside of the storage format is that you can no longer immediately start to grep or analyze the output of the tool, now you need to run a second tool to sort, remove duplicates and change it into a human readable format.

psort.py -w /cases/timeline/myhost.sorted.csv /cases/timeline/myhost.dump

However, with the new storage format and the filtering possibilities of psort, many new things are now available that were not possible in the older version. For instance the possibility to narrow down the window of output to few minutes:

psort.py /cases/timeline/myhost.dump "date > '2012-10-10 18:24:00' and date < '2012-10-10 22:25:19'"

Or to a specific dataset:

psort.py /cases/timeline/myhost.dump "date > '2012-10-10 12:00:00' and date < '2012-10-10 23:55:14' and message contains 'evil' and (source is 'LNK' or timestamp_desc iregexp 'st\swr' or filename contains 'mystery')"

Or to just present a small time slice based on a particular event of interest:

psort.py --slice "2012-10-10 12:00:00" /cases/timeline/myhost.dump

More on the usage of filters here.

The main difference between the old branch and the new one is that now filtering is a lot more granular, and also very different. It is possible to filter against every attribute that is stored inside the event. Some types of events will store certain attributes, while others will not.

psort.py /cases/timeline/myhost.dump "username contains 'joe'"

Filter like this one above will go through every event and only include those events that actually have the attribute username set, which may not be nearly everyone (only those events that can positively attribute an event to a specific user). And then filter out those events even further by only including the events that contain the letters “joe” (case insensitive).

The most common usage of the filters will most likely be constrained to the common fields, like source/source_short, date/timestamp, source_long, message, filename, timestamp_desc, parser, etc.

For now, the new version does not have some of the capabilities that the older version had, that is to say the:

• Yara rules to filter out content.
• White/black lists.

These are things that are on the roadmap and should hopefully be added before too long.

Another new thing that the older version did not have is metadata stored inside the storage file. Since the older version only used l2t_csv as the output (default output, configurable) it had no means of storing metadata about the runtime of the tool nor the events that were collected. That has changed with the new version. Some of the metadata stored can be used for filtering out data (or has the potential of being used for that) or at least be printed out again, since it contains useful information about the collection.

• pinfo.py -v /cases/timeline/myhost.dump

This tool will dump out all the metadata information that is stored inside the storage file, so you can see what is exactly stored inside there. The storage may also contain additional details, such as; tags for events, analysis reports and other data.

Another aspect that was not part of the older version is tagging and any other sort of automatic analysis on the data set.

TODO: describe tagging

Developer documentation

Developer Guide

Python 3 Guide

plaso is Python 3 compatible, but not all of its dependencies are.

This page contains information about which Python language features to use to help plaso to stay Python 2.7 compatible and stay Python 3.4 and later compatible.

Python

See: https://docs.python.org/3/howto/pyporting.html

• exception.message no longer accessible
• dict.sort() no longer works
• more picky about string conversion in format e.g. printing a set as {0:s}
• open() must be passed binary mode
• next() replaced by __next__()
• dict iter functions: https://docs.python.org/3.1/whatsnew/3.0.html#views-and-iterators-instead-of-lists
  • What about plistlib._InternalDict.iteritems() ?

dict.iteritems() => iter(dict.items())

Integers

• The result of \ is a floating point, use divmod() instead (or \\)
• long() and 1L no longer work

Strings

• % format notation on longer supported, replaced by format and {} notation
• explicitly mark byte strings (b’‘)
• str is Unicode not bytes so str.decode fails
• Use __unicode__ in preference of __str__
• unicode() is no longer supported
• basestring is no longer supported

Make the default string type Unicode.

from __future__ import unicode_literals

print

In Python 3 print is a function:

print "Test" => print("Test")

For compatibility with Python 2, and to stop pylint complaining, add the following import:

from __future__ import print_function

StringIO.StringIO

StringIO.StringIO is replaced by io.StringIO and io.BytesIO

urllib2

From: https://docs.python.org/2/library/urllib2.html

The urllib2 module has been split across several modules in Python 3 named urllib.request and urllib.error.

if sys.version_info[0] < 3:
  import urllib2 as urllib_error
  from urllib2 import urlopen
else:
  import urllib.error as urllib_error
  from urllib.request import urlopen

xrange()

xrange() is no longer supported by Python 3 use range() instead:

xrange(10) => range(0, 10)

map()

TypeError: 'map' object is not subscriptable

E.g.

map(int, [1])[0]

In Python 3 map() returns a map where in Python 2 this was a list e.g.

type(map(int, [1]))

A solution is to wrap map in a list.

Other similar errors are:

TypeError: unorderable types: map() < map()

filter

In Python 3 filter() returns a filter where in Python 2 this was a list e.g.

type(filter(None, []))

A solution is to wrap filter in a list.

To do

from __future__ import absolute_import

from __future__ import division

Octal integers are written in a different form e.g. instead of 0666 now 0o666

C extensions

See: http://python3porting.com/cextensions.html

Setting up and maintaining your development environment

The first challenge you will encounter is setting up and maintaining your development environment.

Start by installing a development release on your platform:

Setting up plaso in virtualenv

For development purposes, Plaso can be installed using virtualenv.

Note that this is intended for development use only, and if you aren’t comfortable debugging package installation, this is not for you.

Fedora Core

Install virtualenv

To install virtualenv on Fedora Core (or equivalent) run:

sudo dnf install python-virtualenv

Installing build dependencies

TODO add more text

Ubuntu

Installing virtualenv

To install virtualenv on Ubuntu (or equivalent) run:

sudo apt-get install python-virtualenv

Installing build dependencies

TODO add more text

sudo apt-get install libyaml-dev liblzma-dev

Setting up plaso in virtualenv

To create a virtualenv:

virtualenv plasoenv

To activate the virtualenv:

source ./plasoenv/bin/activate

Note that using pip outside virtualenv is not recommended since it ignores your systems package manager.

pip install --upgrade pip

curl -O https://raw.githubusercontent.com/log2timeline/plaso/master/requirements.txt
pip install -r requirements.txt

To install Python modules from source:

VENVDIR=`readlink -f plasoenv`
${VENVDIR}/bin/python setup.py build
${VENVDIR}/bin/python setup.py install

To deactivate the virtualenv run:

deactivate

To download the latest version of Plaso you’ll need to install the git tools:

sudo dnf install git

Checkout the plaso source from the git repo:

git clone https://github.com/log2timeline/plaso.git

To be able to run the plaso development release on Fedora Core or equivalent you’ll have to have installed the dependencies.

Check if you have all the dependencies installed and have the right minimum version:

python utils/check_dependencies.py

Note that some dependencies are actively under development and can be frequently updated, therefore we recommend checking the status of the dependencies regularly.

Development tools

If you intend to do development on plaso you’ll also need to install some development tools:

• PyLint 1.7.x
• Python Mock

Development Release MacOS

To download the latest version of Plaso you’ll need to install the git tools: http://git-scm.com/downloads

Checkout the plaso source from the git repo:

git clone https://github.com/log2timeline/plaso.git

To be able to run the plaso development release on MacOS you’ll have to have installed the dependencies.

Check if you have all the dependencies installed and have the right minimum version:

./utils/check_dependencies.py

Note that some dependencies are actively under development and can be frequently updated, therefore we recommend checking the status of the dependencies regularly.

If check_dependencies.py keeps indicating it detected an out of date version check if the following directory might still contain an older version:

/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/

Apple also ships version 2.0.1 of pyparsing under /System/Library/Frameworks/Python.framework which is loaded first, even if you have a newer pyparsing installed. You can work around this by specifying the PYTHONPATH when you run one of the command line tools - try PYTHONPATH=/Library/Python/2.7/site-packages:$PYTHONPATH ./tools/log2timeline.py --help if you’re having problems.

Development tools

If you intend to do development on plaso you’ll also need to install some development tools:

• PyLint 1.7.x
• Python Mock

To download the latest version of Plaso you’ll need to install the git tools:

sudo apt-get install git

Checkout the plaso source from the git repo:

git clone https://github.com/log2timeline/plaso.git

To be able to run the plaso development release on Ubuntu or equivalent you’ll have to have installed the dependencies.

Check if you have all the dependencies installed and have the right minimum version:

python utils/check_dependencies.py

Note that some dependencies are actively under development and can be frequently updated, therefore we recommend checking the status of the dependencies regularly.

Update frequently

If you really want to run the development release, aka “Bleeding Edge”, make sure to update frequently.

To update plaso:

git pull origin master

If you are using a “github fork” your origin is pointing your fork not the main plaso git repo:

git remote -v
origin  https://github.com/log2timeline/plaso (fetch)
origin  https://github.com/log2timeline/plaso (push)

Add an upstream remote that you can use to sync your fork:

git remote add upstream https://github.com/log2timeline/plaso.git
git pull --rebase upstream master

We provide packaged versions of the dependencies via the l2tbinary project. However it is possible that the dependencies are not fully up to date therefore we also provide a build script as part of l2tdevtools project to do unattended bulk builds.

Development tools

If you intend to do development on plaso you’ll also need to install some development tools:

• PyLint
• Python Mock

PyLint

Currently plaso development uses PyLint version 1.6.x.

Remove any older version of PyLint.

sudo apt-get remove pylint

For pylint 1.6.x the following additional dependencies are required:

• https://pypi.python.org/pypi/astroid
• https://pypi.python.org/pypi/lazy-object-proxy
• https://pypi.python.org/pypi/logilab-common
• https://pypi.python.org/pypi/wrapt

Download and build the python-wrapt Debian package: TODO describe

Download and build the python-lazy-object-proxy Debian package: TODO describe

Download and build the python-logilab-common Debian package:

hg clone http://hg.logilab.org/logilab/common
cd common
dpkg-buildpackage -rfakeroot
cd ..

Since you’re building from development branch it can be possible that you need to disable any failing tests. Either report these as bugs to the PyLint project or fix them yourself.

Download and build the python-astroid Debian package:

hg clone https://bitbucket.org/logilab/astroid
cd astroid
dpkg-buildpackage -rfakeroot
cd ..

Download and build the pylint Debian package:

hg clone https://bitbucket.org/logilab/pylint
cd pylint
dpkg-buildpackage -rfakeroot
cd ..

Install the python-wrapt, python-lazy-object-proxy, python-logilab-common, python-astroid and pylint Debian packages:

sudo dpkg -i python-wrapt python-lazy-object-proxy python-logilab-common_0.60.0-1_all.deb python-astroid_1.0.1-1_all.deb pylint_1.6.5-1_all.deb

Python Mock

To install Python Mock run:

sudo apt-get install python-mock

To download the latest version of Plaso you’ll need to install the git tools: http://git-scm.com/downloads

Checkout the plaso source from the git repo:

git clone https://github.com/log2timeline/plaso.git

If you intend to submit code make sure to configure git to use convert to the Unix-style end-of-line characters (linefeed) on submission and not have the Windows-style end-of-line characters (carriage return + linefeed).

We recommend to configure your editor of choice to use linefeed only and turn off git’s autocrlf:

git config --global core.autocrlf false

To be able to run the plaso development release on Windows you’ll have to have installed the dependencies.

Check if you have all the dependencies installed and have the right minimum version:

C:\Python27\python.exe utils\check_dependencies.py

Note that some dependencies are actively under development and can be frequently updated, therefore we recommend checking the status of the dependencies regularly.

Running the development release

To run the development release directly from source make sure Python can find the plaso source files by setting PYTHONPATH correspondingly.

set PYTHONPATH=C:\plaso-build\plaso

To run e.g. pinfo:

C:\Python27\python.exe C:\plaso-build\plaso\plaso\frontend\pinfo.py plaso.db

Development tools

If you intend to do development on plaso you’ll also need to install some development tools:

• PyLint
• Python Mock

PyLint

At the moment Plaso development requires PyLint 1.6.x.

TODO: describe building pylint 1.6.x

For pylint 1.6.x the following additional dependencies are required:

• https://pypi.python.org/pypi/astroid
• https://pypi.python.org/pypi/lazy-object-proxy
• https://pypi.python.org/pypi/logilab-common
• https://pypi.python.org/pypi/wrapt

Python Mock

Download the latest source package from: https://pypi.python.org/pypi/mock

To build the MSI file run the following commands from the build root directory:

tar xvf mock-1.0.1.tar.gz
cd mock-1.0.1\
C:\Python27\python.exe setup.py bdist_msi
cd ..

This will create a MSI in the dist sub directory e.g.:

dist\mock-1.0.1.win32.msi

Install the MSI.

Building dependencies

If you’re feeling particularly brave, you can try building all the dependencies yourself.

Note that plaso and some dependencies are currently actively under development keeping up with the development release is not for “the faint of heart”.

• Running the development release on Ubuntu Linux

  Building Dependencies on Ubuntu

  This page contains detailed instructions on how to build and install dependencies on Ubuntu. Some of these instructions should also work on Ubuntu like systems like Debian or Linux Mint.

  There are multiple ways to install the dependencies on Ubuntu:

  • Using the GIFT PPA to install prepackaged versions of the dependencies;
  • Using the log2timeline devtools to batch build most of the dependencies;
  • Manual build of the dependencies.

  Prepackaged dependencies

  Moved

  Batch build

  Moved

  Manual build

  It is impossible for us to support all flavors of Ubuntu out there, so if you want smooth sailing, we recommend sticking with the supported version or live with the fact that a manual build of the dependencies can be a tedious task.

  For ease of maintenance the following instructions use as much deb package files as possible. Note that the resulting deb files are not intended for public redistribution.

  Alternative installation methods like installing directly from source, using easy_install or pip are not recommended because when not maintained correctly they can mess up your setup more easily than using deb packages.

  First create a build root directory:

  mkdir plaso-build/
  

  Next make sure your installation is up to date:

  sudo apt-get update
  sudo apt-get upgrade
  

  Build essentials

  Make sure the necessary building tools and development packages are installed on the system:

  sudo apt-get install build-essential autotools-dev libsqlite3-dev python-dev debhelper devscripts fakeroot quilt git mercurial python-setuptools libtool automake
  

  Python modules

  The following instructions apply to the following dependencies:

  Name | Download URL | Comments | Dependencies — | — | — | — artifacts | https://github.com/ForensicArtifacts/artifacts/releases | Comes with dpkg files | bencode | https://pypi.python.org/pypi/bencode | | binplist | https://github.com/google/binplist/releases | Comes with dpkg files | construct | https://pypi.python.org/pypi/construct#downloads | 2.5.2 or later 2.x version | six dateutil | https://pypi.python.org/pypi/python-dateutil | | dpkt | https://pypi.python.org/pypi/dpkt | | google-apputils | https://pypi.python.org/pypi/google-apputils | | PyParsing | http://sourceforge.net/projects/pyparsing/files/ | 2.0.3 or later 2.x version | python-gflags | https://github.com/google/python-gflags/releases | | pytz | https://pypi.python.org/pypi/pytz | | PyYAML | http://pyyaml.org/wiki/PyYAML | | pyzmq | https://pypi.python.org/pypi/pyzmq | Needs Cython to build | requests | https://github.com/kennethreitz/requests/releases | Make sure to click on: “Show # newer tags” | six | https://pypi.python.org/pypi/six#downloads | | yara-python | https://github.com/VirusTotal/yara-python | |

  Some of these Python modules can be directly installed via apt-get:

  sudo apt-get install python-yaml
  

  Building a deb

  First extract the package:

  tar zxvf package-1.0.0.tar.gz
  

  Next change into the package source directory:

  cd package-1.0.0\
  

  Some of the Python modules come with dpkg files stored in config/dpkg. For those Python modules copy the dpkg files to a debian sub directory:

  cp -rf config/dpkg debian
  

  For those that don’t come with dpkg files you can use dpkg-generate.py to generate them e.g.:

  PYTHONPATH=l2tdevtools l2tdevtools/tools/dpkg-generate.py --source-directory=. package
  mv dpkg debian
  

  Have dpkg-buildpackage build the deb file:

  dpkg-buildpackage -rfakeroot
  

  This will create the following files in the build root directory:

  python-package-1.0.0-1_all.deb
  

  Note that the actual deb file name can vary per package.

  To install the required deb files run:

  sudo dpkg -i python-package-1.0.0-1_all.deb
  

  dfVFS

  The dfVFS build instructions can be found here. Note that for dfVFS to function correctly several dependencies, like pytsk, mentioned later in a section of this page, are required.

  Download the latest source package from: https://github.com/log2timeline/dfvfs/releases

  To build deb files run the following command from the build root directory:

  tar xvf dfvfs-20140219.tar.gz 
  cd dfvfs-20140219/
  cp -rf dpkg debian
  dpkg-buildpackage -rfakeroot
  cd ...
  

  This will create the following files in the build root directory:

  python-dfvfs_20140219-1_all.deb
  

  To install the required deb files run:

  sudo dpkg -i python-dfvfs_20140219-1_all.deb
  

  Hachoir

  To install hachoir run:

  sudo apt-get install python-hachoir-core python-hachoir-metadata python-hachoir-parser
  

  IPython

  To install IPython run:

  sudo apt-get install ipython
  

  For information on how to build IPython from source see: http://ipython.org/ipython-doc/stable/install/install.html

  libyal

  The following instructions apply to the following dependencies:

  Name | Download URL | Comments | Dependencies — | — | — | — libbde | https://github.com/libyal/libbde | | libfuse, libcrypto libesedb | https://github.com/libyal/libesedb | | libevt | https://github.com/libyal/libevt | | libevtx | https://github.com/libyal/libevtx | | libewf | https://github.com/libyal/libewf | | libfuse, libcrypto, zlib libfsntfs | https://github.com/libyal/libfsntfs | | libfvde | https://github.com/libyal/libfvde | | libfuse, libcrypto, zlib libfwsi | https://github.com/libyal/libfwsi | | liblnk | https://github.com/libyal/liblnk | | libmsiecf | https://github.com/libyal/libmsiecf | | libolecf | https://github.com/libyal/libolecf | | libfuse libqcow | https://github.com/libyal/libqcow | | libfuse, zlib libregf | https://github.com/libyal/libregf | | libfuse libscca | https://github.com/libyal/libscca | | libsigscan | https://github.com/libyal/libsigscan | | libsmdev | https://github.com/libyal/libsmdev | | libsmraw | https://github.com/libyal/libsmraw | | libfuse, libcrypto libvhdi | https://github.com/libyal/libvhdi | | libfuse libvmdk | https://github.com/libyal/libvmdk | | libfuse, zlib libvshadow | https://github.com/libyal/libvshadow | | libfuse

  Install the following dependencies for building libyal:

  sudo apt-get install bzip2-dev libfuse-dev libssl-dev zlib1g-dev
  

  Since the build process for the libyal libraries is very similar, the following paragraph provides building libevt as an example. For more details see the build instructions of the individual projects e.g. https://github.com/libyal/libevt/wiki/Building.

  Note that there is also a script to batch build the libyal dependencies more information here: https://github.com/log2timeline/l2tdevtools/wiki/Build-script

  Example: libevt and Python-bindings

  Download the latest source package from: https://github.com/libyal/libevt/releases

  To build deb files run the following command from the build root directory:

  tar xfv libevt-alpha-20150105.tar.gz
  cd libevt-20130923
  cp -rf dpkg debian
  dpkg-buildpackage -rfakeroot
  cd ..
  

  This will create the following files in the build root directory:

  libevt_20150105-1_amd64.deb
  libevt-dbg_20150105-1_amd64.deb
  libevt-dev_20150105-1_amd64.deb
  libevt-python_20150105-1_amd64.deb
  libevt-python-dbg_20150105-1_amd64.deb
  libevt-tools_20150105-1_amd64.deb
  

  To install the required deb files run:

  sudo dpkg -i libevt_20150105-1_amd64.deb libevt-python_20150105-1_amd64.deb
  

  Libyaml and Python-bindings

  To install libyaml and Python-bindings run:

  sudo apt-get install libyaml-0-2 python-yaml
  

  Pefile

  TODO describe

  psutil

  To install psutil run:

  sudo apt-get install python-psutil
  

  PySQLite

  Install the following dependencies for building PySQLite:

  sudo apt-get install libsqlite3-dev
  

  TODO describe

  Pytsk

  The build and install Pytsk see:

  • https://github.com/py4n6/pytsk/wiki/Building

  Optional dependencies for output modules

  elasticsearch-py

  Download the latest source package from: https://github.com/elastic/elasticsearch-py

  TODO: describe

  XlsxWriter

  Download the latest source package from: https://github.com/jmcnamara/XlsxWriter/releases

  TODO describe obtaining packing files

  To build deb files run the following command from the build root directory:

  tar xvf XlsxWriter-RELEASE_0.7.7.tar.gz
  cd XlsxWriter-RELEASE_0.7.7
  cp -rf config/dpkg debian
  dpkg-buildpackage -rfakeroot
  cd ..
  

  This will create the following files in the build root directory:

  python-xlsxwriter-0.7.7-1_all.deb
  

  To install the required deb files run:

  sudo dpkg -i python-xlsxwriter-0.7.7-1_all.deb
  

• Running the development release on Fedora Core Linux

  Manual build

  It is impossible for us to support all flavors of Fedora Core out there, so if you want smooth sailing, we recommend sticking with the supported version or live with the fact that a manual build of the dependencies can be a tedious task.

  For ease of maintenance the following instructions use as much rpm package files as possible. Note that the resulting rpm files are not intended for public redistribution.

  Alternative installation methods like installing directly from source, using easy_install or pip are not recommended because when not maintained correctly they can mess up your setup more easily than using rpm packages.

  First create a build root directory:

  mkdir plaso-build/
  

  Next make sure your installation is up to date:

  sudo dnf update
  

  Build essentials

  Make sure the necessary building tools and development packages are installed on the system:

  sudo dnf groupinstall "Development Tools"
  sudo dnf install gcc-c++ python-devel python-setuptools rpm-build git mercurial
  

  TODO: move to libyal section.

  For some of the dependent packages you also require:

  sudo dnf install flex byacc zlib-devel bzip2-devel openssl-devel fuse-devel
  

  Python modules

  The following instructions apply to the following dependencies:

  Name | Download URL | Comments | Dependencies — | — | — | — artifacts | https://github.com/ForensicArtifacts/artifacts/releases | | bencode | https://pypi.python.org/pypi/bencode | | binplist | https://github.com/google/binplist/releases | | construct | https://pypi.python.org/pypi/construct#downloads | 2.5.2 or later 2.x version | six dateutil | https://pypi.python.org/pypi/python-dateutil | | dpkt | https://pypi.python.org/pypi/dpkt | | google-apputils | https://pypi.python.org/pypi/google-apputils | | PyParsing | http://sourceforge.net/projects/pyparsing/files/ | 2.0.3 or later 2.x version | python-gflags | https://github.com/google/python-gflags/releases | | pytz | https://pypi.python.org/pypi/pytz | | PyYAML | http://pyyaml.org/wiki/PyYAML | | pyzmq | https://pypi.python.org/pypi/pyzmq | Needs Cython to build | requests | https://github.com/kennethreitz/requests/releases | Make sure to click on: “Show # newer tags” | six | https://pypi.python.org/pypi/six#downloads | | yara-python | https://github.com/VirusTotal/yara-python | |

  Some of these Python modules can be directly installed via dnf:

  sudo dnf install libyaml pyparsing python-dateutil python-requests python-six PyYAML pytz
  

  construct - Troubleshooting

  Note the construct package could conflict with Fedora distribute version of construct: python-construct.

  DPKT - Troubleshooting

  ImportError: cannot import name pystone
  

  pystone can be found in python-test

  sudo dnf install python-test
  

  Building a RPM

  Setup.py allows you to easily build a RPM in most cases. This paragraph contains a generic description of building a RPM so we do not have to repeat this for every dependency.

  To build a RPM file from package-1.0.0.tar.gz run the following commands from the build root directory.

  First extract the package:

  tar zxvf package-1.0.0.tar.gz
  

  Next change into the package source directory and have setup.py build a RPM:

  cd package-1.0.0\
  C:\Python27\python.exe setup.py bdist_rpm
  

  This will create a RPM in the dist sub directory e.g.:

  dist/package-1.0.0-1.noarch.rpm
  

  Note that the actual RPM file name can vary per package.

  To install the RPM from the command line:

  sudo dnf install /package-1.0.0/dist/package-1.0.0-1.noarch.rpm
  

  dfVFS

  The dfVFS build instructions can be found here. Note that for dfVFS to function correctly several dependencies, like pytsk, mentioned later in a section of this page, are required.

  Download the latest source package from: https://github.com/log2timeline/dfvfs/releases

  To build rpm files run the following command from the build root directory:

  tar xvf dfvfs-20140219.tar.gz 
  cd dfvfs-20140219/
  python setup.py bdist_rpm
  cd ..
  

  To install the required rpm files run:

  sudo rpm -ivh dfvfs-20140219/dist/dfvfs-20140219-1.noarch.rpm
  

  IPython

  By default Fedora 20 comes with IPython 0.13.2. Plaso requires version 1.2.1 or later.

  TODO: describe

  Hachoir

  Download the latest source package from: https://bitbucket.org/haypo/hachoir/wiki/Install/source

  You’ll need:

  • hachoir-core-1.3.3.tar.gz
  • hachoir-parser-1.3.4.tar.gz
  • hachoir-metadata-1.3.3.tar.gz

  To build rpm files run the following command from the build root directory:

  tar xfv hachoir-core-1.3.3.tar.gz
  cd hachoir-core-1.3.3
  python setup.py build bdist_rpm
  cd ..
  

  To install the required rpm files run:

  sudo rpm -ivh hachoir-core-1.3.3/dist/hachoir-core-1.3.3-1.noarch.rpm
  

  To build rpm files run the following command from the build root directory:

  tar xfv hachoir-parser-1.3.4.tar.gz
  cd hachoir-parser-1.3.4
  python setup.py build bdist_rpm
  cd ..
  

  To install the required rpm files run:

  sudo rpm -ivh hachoir-parser-1.3.4/dist/hachoir-parser-1.3.4-1.noarch.rpm
  

  To build rpm files run the following command from the build root directory:

  tar xfv hachoir-metadata-1.3.3.tar.gz
  cd hachoir-metadata-1.3.3
  python setup.py build bdist_rpm
  cd ..
  

  To install the required rpm files run:

  sudo rpm -ivh hachoir-metadata-1.3.3/dist/hachoir-metadata-1.3.3-1.noarch.rpm
  

  libyal

  The following instructions apply to the following dependencies:

  Name | Download URL | Comments | Dependencies — | — | — | — libbde | https://github.com/libyal/libbde | | libfuse, libcrypto libesedb | https://github.com/libyal/libesedb | | libevt | https://github.com/libyal/libevt | | libevtx | https://github.com/libyal/libevtx | | libewf | https://github.com/libyal/libewf | | libfuse, libcrypto, zlib libfsntfs | https://github.com/libyal/libfsntfs | | libfvde | https://github.com/libyal/libfvde | | libfuse, libcrypto, zlib libfwsi | https://github.com/libyal/libfwsi | | liblnk | https://github.com/libyal/liblnk | | libmsiecf | https://github.com/libyal/libmsiecf | | libolecf | https://github.com/libyal/libolecf | | libfuse libqcow | https://github.com/libyal/libqcow | | libfuse, zlib libregf | https://github.com/libyal/libregf | | libfuse libscca | https://github.com/libyal/libscca | | libsigscan | https://github.com/libyal/libsigscan | | libsmdev | https://github.com/libyal/libsmdev | | libsmraw | https://github.com/libyal/libsmraw | | libfuse, libcrypto libvhdi | https://github.com/libyal/libvhdi | | libfuse libvmdk | https://github.com/libyal/libvmdk | | libfuse, zlib libvshadow | https://github.com/libyal/libvshadow | | libfuse

  Install the following dependencies for building libyal:

  sudo dnf install bzip2-devel libfuse-devel openssl-devel zlib-devel
  

  Since the build process for the libyal libraries is very similar, the following paragraph provides building libevt as an example. For more details see the build instructions of the individual projects e.g. https://github.com/libyal/libevt/wiki/Building.

  Note that there is also a script to batch build the libyal dependencies more information here: https://github.com/log2timeline/l2tdevtools/wiki/Build-script

  Example: libevt and Python-bindings

  Download the latest source package from: https://github.com/libyal/libevt/releases

  mv libevt-alpha-20130923.tar.gz libevt-20130923.tar.gz

  rpmbuild -ta libevt-20130923.tar.gz
  

  On a 64-bit version or Fedora 18 this will create the rpm files in the directory:

  ~/rpmbuild/RPMS/x86_64/
  

  To install the required rpm files run:

  sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/libevt-20130923-1.x86_64.rpm ~/rpmbuild/RPMS/x86_64/libevt-python-20130923-1.x86_64.rpm
  

  Pefile

  TODO describe

  Psutil

  Download the latest source package from: https://pypi.python.org/pypi/psutil

  To build rpm files run the following command from the build root directory:

  tar xvf psutil-1.2.1.tar.gz 
  cd psutil-1.2.1/
  python setup.py bdist_rpm
  cd ..
  

  To install the required rpm files run:

  sudo dnf install psutil-1.2.1/dist/psutil-1.2.1.x86_64.rpm
  

  python-gflags

  Download the latest source package from: https://github.com/google/python-gflags/releases

  To build rpm files run the following command from the build root directory:

  tar xvf python-gflags-python-gflags-2.0.tar.gz
  cd python-gflags-python-gflags-2.0/
  python setup.py bdist_rpm
  cd ..
  

  To install the required rpm files run:

  sudo dnf install python-gflags-python-gflags-2.0/dist/python-gflags-2.0-1.noarch.rpm
  

  Pytsk

  The build and install Pytsk see:

  • https://github.com/py4n6/pytsk/wiki/Building

  Optional dependencies for output modules

  elasticsearch-py

  Download the latest source package from: https://github.com/elastic/elasticsearch-py

  TODO: describe

  XlsxWriter

  Download the latest source package from: https://github.com/jmcnamara/XlsxWriter/releases

  To build rpm files run the following command from the build root directory:

  tar xvf XlsxWriter-RELEASE_0.7.3.tar.gz
  cd XlsxWriter-RELEASE_0.7.3/
  python setup.py bdist_rpm
  cd ..
  

  To install the required rpm files run:

  sudo dnf install XlsxWriter-RELEASE_0.7.3.tar.gz/dist/XlsxWriter-0.7.3-1.noarch.rpm
  

• Running the development release on Mac OS X

  This page contains detailed instructions on how to build and install dependencies on Mac OS X.

  There are multiple ways to install the dependencies on Ubuntu:

  • Prepackaged dependencies;
  • Using the log2timeline devtools to batch build most of the dependencies;
  • Manual build of the dependencies.

  Note that if you have a non-Apple version of Python installed e.g. downloaded from Python.org, MacPorts or equivalent. You may very likely will have issues with version mismatches between the Apple versions and the non-Apple version of Python. It is therefore recommended to stick with the Apple versions of Python.

  Prepackaged dependencies

  Moved to Dependencies.md#macos

  Batch build

  Moved to Dependencies.md#batch-build

  Manual build

  It is impossible for us to support all flavors of Mac OS X out there, so if you want smooth sailing, we recommend sticking with the supported version or live with the fact that a manual build of the dependencies can be a tedious task.

  For ease of maintenance the following instructions use as much pkg packages as possible. Note that the resulting pkg packages are not intended for public redistribution.

  Alternative installation methods like installing directly from source, using easy_install or pip are not recommended because when not maintained correctly they can mess up your setup more easily than using rpm packages.

  First create a build root directory:

  mkdir plaso-build/
  

  Build essentials

  Make sure the necessary building tools and development packages are installed on the system:

  • Python 2.7 (or a later 2.x version)
  • Python setuptools or distutils
  • XCode
    • Command Line Tools
  • Cython

  Cython

  Download the latest source package from: http://cython.org/#download

  To build pkg files run the following command from the build root directory:

  tar -zxvf Cython-0.23.1.tar.gz
  cd Cython-0.23.1
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.cython.cython --version 0.23.1 --ownership recommended ../cython-0.23.1.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg cython-0.23.1.pkg
  

  Python modules

  The following instructions apply to the following dependencies:

  Name | Download URL | Identifier | Comments | Dependencies — | — | — | — | — artifacts | https://github.com/ForensicArtifacts/artifacts/releases | com.github.ForensicArtifacts.artifacts | | bencode | https://pypi.python.org/pypi/bencode | org.python.pypi.bencode | | binplist | https://github.com/google/binplist/releases | com.github.google.binplist | | construct | https://pypi.python.org/pypi/construct#downloads | org.python.pypi.construct | latest 2.x version | six dateutil | https://pypi.python.org/pypi/python-dateutil | com.github.dateutil.dateutil | | dpkt | https://pypi.python.org/pypi/dpkt | org.python.pypi.dpkt | | google-apputils | https://pypi.python.org/pypi/google-apputils | com.github.google.google-apputils | | PyParsing | http://sourceforge.net/projects/pyparsing/files/ | net.sourceforge.pyparsing | | python-gflags | https://github.com/google/python-gflags/releases | com.github.google.python-gflags | | pytz | https://pypi.python.org/pypi/pytz | org.python.pypi.pytz | | pyzmq | https://pypi.python.org/pypi/pyzmq | com.github.zeromq.pyzmq | Needs Cython to build | requests | https://github.com/kennethreitz/requests/releases | com.github.kennethreitz.requests | Make sure to click on: “Show # newer tags” | six | https://pypi.python.org/pypi/six#downloads | org.python.pypi.six | | yara-python | https://github.com/VirusTotal/yara-python | |

  Building a PKG

  To build pkg files run the following commands from the build root directory.

  First extract the package:

  tar -zxvf package-1.0.0.tar.gz 
  

  Next change into the package source directory and have setup.py build and install the package:

  cd package-1.0.0/
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  

  This will install package in:

  tmp
  

  Next create a pgk

  pkgbuild --root tmp --identifier $IDENTIFIER --version 1.0.0 --ownership recommended ../package-1.0.0.pkg
  cd ..
  

  Where $IDENTIFIER contains an unique identifier for the package e.g. com.github.ForensicArtifacts.artifacts for artifacts.

  To install the required pkg files run:

  sudo installer -target / -pkg package-1.0.0.pkg
  

  dfVFS

  The dfVFS build instructions can be found here. Note that for dfVFS to function correctly several dependencies, like pytsk, mentioned later in a section of this page, are required.

  Download the latest source package from: https://github.com/log2timeline/dfvfs/releases

  To build pkg files run the following command from the build root directory:

  tar xfvz dfvfs-20140219.tar.gz
  cd dfvfs-20140219/
  python setup.py install --root=$PWD/tmp --install-data=/usr/local
  pkgbuild --root tmp --identifier com.github.log2timeline.dfvfs --version 20140219 --ownership recommended python-dfvfs-20140219.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-dfvfs-20140219.pkg
  

  IPython

  Download the latest source package from: https://github.com/ipython/ipython/releases

  To build pkg files run the following command from the build root directory:

  tar xfvz ipython-1.2.1.tar.gz
  cd ipython-1.2.1
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.github.ipython.ipython --version 1.2.1 --ownership recommended ../ipython-1.2.1.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg ipython-1.2.1.pkg
  

  gnureadline

  Download the latest source package from: https://pypi.python.org/pypi/gnureadline

  To build pkg files run the following command from the build root directory:

  tar xfv gnureadline-6.3.3.tar.gz 
  cd gnureadline-6.3.3
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.python.pypi.gnureadline --version 6.3.3 --ownership recommended ../gnureadline-6.3.3.pkg
  

  To install the required pkg files run:

  sudo installer -target / -pkg gnureadline-6.3.3.pkg
  

  Hachoir

  Download the latest source package from: https://bitbucket.org/haypo/hachoir/wiki/Install/source

  You’ll need:

  • hachoir-core-1.3.3.tar.gz
  • hachoir-parser-1.3.4.tar.gz
  • hachoir-metadata-1.3.3.tar.gz

  To build pkg files run the following command from the build root directory:

  tar xfvz hachoir-core-1.3.3.tar.gz
  cd hachoir-core-1.3.3
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.bitbucket.hachoir.core --version 1.3.3 --ownership recommended ../python-hachoir-core-1.3.3.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-hachoir-core-1.3.3.pkg
  

  To build pkg files run the following command from the build root directory:

  tar xfvz hachoir-parser-1.3.4.tar.gz
  cd hachoir-parser-1.3.4
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.bitbucket.hachoir.parser --version 1.3.4 --ownership recommended ../python-hachoir-parser-1.3.4.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-hachoir-parser-1.3.4.pkg
  

  To build pkg files run the following command from the build root directory:

  tar xfvz hachoir-metadata-1.3.3.tar.gz
  cd hachoir-metadata-1.3.3
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.bitbucket.hachoir.metadata --version 1.3.3 --ownership recommended ../python-hachoir-metadata-1.3.3.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-hachoir-metadata-1.3.3.pkg
  

  libyal

  The following instructions apply to the following dependencies:

  Name | Download URL | Comments | Dependencies — | — | — | — libbde | https://github.com/libyal/libbde | | libfuse libesedb | https://github.com/libyal/libesedb | | libevt | https://github.com/libyal/libevt | | libevtx | https://github.com/libyal/libevtx | | libewf | https://github.com/libyal/libewf | | libfuse, zlib libfsntfs | https://github.com/libyal/libfsntfs | | libfvde | https://github.com/libyal/libfvde | | libfuse, zlib libfwsi | https://github.com/libyal/libfwsi | | liblnk | https://github.com/libyal/liblnk | | libmsiecf | https://github.com/libyal/libmsiecf | | libolecf | https://github.com/libyal/libolecf | | libfuse libqcow | https://github.com/libyal/libqcow | | libfuse, zlib libregf | https://github.com/libyal/libregf | | libfuse libscca | https://github.com/libyal/libscca | | libsigscan | https://github.com/libyal/libsigscan | | libsmdev | https://github.com/libyal/libsmdev | | libsmraw | https://github.com/libyal/libsmraw | | libfuse libvhdi | https://github.com/libyal/libvhdi | | libfuse libvmdk | https://github.com/libyal/libvmdk | | libfuse, zlib libvshadow | https://github.com/libyal/libvshadow | | libfuse

  Install the following dependencies for building libyal:

  • zlib
  • bzip2

  TODO: describe building dependencies.

  Since the build process for the libyal libraries is very similar, the following paragraph provides building libevt as an example. For more details see the build instructions of the individual projects e.g. https://github.com/libyal/libevt/wiki/Building.

  Note that there is also a script to batch build the libyal dependencies more information here: https://github.com/log2timeline/l2tdevtools/wiki/Build-script

  Example: libevt and Python-bindings

  Download the latest source package from: https://github.com/libyal/libevt/releases

  Note that Mac OS X 10.11 (El Capitan) disallows installation in /usr by default, hence we use /usr/local

  To build pkg files run the following command from the build root directory:

  tar xfvz libevt-alpha-20130415.tar.gz
  cd libevt-alpha-20130415
  ./configure --disable-dependency-tracking --prefix=/usr/local --enable-python --with-pyprefix
  make && make install DESTDIR=$PWD/osx-pkg
  mkdir -p $PWD/osx-pkg/usr/share/doc/libevt
  cp LICENSE $PWD/osx-pkg/usr/share/doc/libevt
  pkgbuild --root osx-pkg --identifier com.github.libyal.libevt --version 20130415 --ownership recommended ../libevt-20130415.pkg
  

  To install the required pkg files run:

  sudo installer -target / -pkg libevt-20130415.pkg
  

  Libyaml and Python-bindings

  Download the latest source package from: http://pyyaml.org/download/libyaml/ (or http://pyyaml.org/wiki/LibYAML)

  Note that Mac OS X 10.11 (El Capitan) disallows installation in /usr by default, hence we use /usr/local

  To build pkg files run the following command from the build root directory:

  tar xfvz yaml-0.1.6.tar.gz
  cd yaml-0.1.6
  ./configure --prefix=/usr/local
  make
  make install DESTDIR=$PWD/osx-pkg
  pkgbuild --root osx-pkg --identifier org.pyyaml.yaml --version 0.1.6 --ownership recommended ../libyaml-0.1.6.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg libyaml-0.1.6.pkg
  

  Download the latest source package from: http://pyyaml.org/wiki/PyYAML

  To build pkg files run the following command from the build root directory:

  tar xfvz PyYAML-3.11.tar.gz
  cd PyYAML-3.11/
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.pyyaml.yaml.python --version 3.11 --ownership recommended ../python-yaml-3.11.pkg
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-yaml-3.11.pkg
  

  Liblzma and Python-bindings

  Download the latest source package from: http://tukaani.org/xz/

  Note that Mac OS X 10.11 (El Capitan) disallows installation in /usr by default, hence we use /usr/local

  To build pkg files run the following command from the build root directory:

  tar xfvz xz-5.2.3.tar.gz
  cd xz-5.2.3
  ./configure --prefix=/usr/local
  make
  make install DESTDIR=$PWD/osx-pkg
  pkgbuild --root osx-pkg --identifier org.tukaani.xz --version 5.2.3 --ownership recommended ../xz-5.2.3.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg xz-5.2.3.pkg
  

  Download the latest source package from: https://pypi.python.org/pypi/pyliblzma

  To build pkg files run the following command from the build root directory:

  tar xfvz pyliblzma-0.5.3.tar.gz
  cd pyliblzma-0.5.3/
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.python.pypi.pyliblzma --version 0.5.3 --ownership recommended ../python-lzma-0.5.3.pkg
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-lzma-0.5.3.pkg
  

  Pefile

  Download the latest source package from: https://github.com/erocarrera/pefile/releases

  TODO describe manual fixes

  To build pkg files run the following command from the build root directory:

  tar -zxvf pefile-1.2.10-139.tar.gz
  cd pefile-pefile-1.2.10-139/
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier com.github.erocarrer.pefile --version 1.2.10-139 --ownership recommended ../python-pefile-1.2.10-139.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-pefile-1.2.10-139.pkg
  

  Pyparsing

  Remove an outdated version of pyparsing distributed by Max OS X:

  sudo rm /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pyparsing*
  

  Note that Mac OS X 10.11 (El Capitan) disallows removing these files.

  On El Capitan we recommend overriding PYTHONPATH:

  PYTHONPATH=/Library/Python/2.7/site-packages/ log2timeline.py
  

  Which you can alias e.g.

  alias log2timeline.py="PYTHONPATH=/Library/Python/2.7/site-packages/ log2timeline.py"
  

  To be able to remove the files you’ll have to disable System Integrity Protection (SIP or rootless).

  Psutil

  Download the latest source package from: https://pypi.python.org/pypi/psutil/#downloads

  To build pkg files run the following command from the build root directory:

  tar xvfz psutil-1.2.1.tar.gz
  cd psutil-1.2.1/
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier org.python.pypi.psutil --version 1.0 --ownership recommended ../python-psutil-1.2.1.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-psutil-1.2.1.pkg
  

  Pytsk

  The build and install Pytsk see:

  • https://github.com/py4n6/pytsk/wiki/Building#using-mac-os-x-pkgbuild

  SQLite

  TODO describe

  Optional dependencies for output modules

  elasticsearch-py

  Download the latest source package from: https://github.com/elastic/elasticsearch-py

  TODO: describe

  XlsxWriter

  Download the latest source package from: https://github.com/jmcnamara/XlsxWriter/releases

  To build pkg files run the following command from the build root directory:

  tar zxfv XlsxWriter-RELEASE_0.7.3.tar.gz
  cd XlsxWriter-RELEASE_0.7.3/
  python setup.py install --root=$PWD/tmp --install-data=/usr/local 
  pkgbuild --root tmp --identifier com.github.jmcnamara.xlsxwriter --version 0.7.3 --ownership recommended ../python-xlsxwriter-0.7.3.pkg
  cd ..
  

  To install the required pkg files run:

  sudo installer -target / -pkg python-xlsxwriter-1.0.pkg
  

• Running the development release on Windows

  This page contains detailed instructions on how to build and install dependencies on Windows.

  There are multiple ways to install the dependencies on Windows:

  • Prepackaged dependencies;
  • Using the log2timeline devtools to batch build most of the dependencies;
  • Manual build of the dependencies.

  Prepackaged dependencies

  Moved to Dependencies.md#windows

  Batch build

  Moved to Dependencies.md#batch-build

  Manual build

  For ease of maintenance the following instructions use as much MSI package files as possible via “Programs and Features”. Note that the resulting MSI files are not intended for public redistribution.

  Note that when making MSI packages, make sure the remove the previous versions before installing the newer version.

  Alternative installation methods like installing directly from source, using easy_install or pip are not recommended because when not maintained correctly they can mess up your setup more easily than using MSIs. E.g. easy_installer and pip do not always remove older versions, e.g. when upgrading IPython 0.13 to 1.1, though Python distutil generated MSI packages don’t detect and remove previous versions either it is less likely you’ll end up with multiple different versions of the same package installed side-by-side.

  If you run into problems building, installing or running the dependencies first check: Troubleshooting.

  Build essentials

  Make sure the necessary building tools and development packages are installed on the system:

  • Python 2.7 Windows installation
  • Python setup tools
  • Microsoft Visual Studio C++ Compiler
  • Cython

  Note that plaso itself is platform independent but if you use a 64-bit version of Python all of the dependencies should be compiled as 64-bit.

  First create a build root directory:

  C:\plaso-build\
  

  Cython

  Download the latest source package from: http://cython.org/#download

  To build the MSI file run the following commands from the build root directory:

  tar xfv Cython-0.23.1.tar.gz
  cd Cython-0.23.1
  C:\Python27\python.exe setup.py bdist_msi
  cd ..
  

  This will create a MSI in the dist sub directory e.g.:

  dist\Cython-0.23.1.win32-py2.7.msi
  

  Install the MSI.

  Python modules

  The following instructions apply to the following dependencies:

  Name | Download URL | Comments | Dependencies — | — | — | — artifacts | https://github.com/ForensicArtifacts/artifacts/releases | | bencode | https://pypi.python.org/pypi/bencode | | binplist | https://github.com/google/binplist/releases | | construct | https://pypi.python.org/pypi/construct#downloads | 2.5.2 or later 2.x version | six dateutil | https://pypi.python.org/pypi/python-dateutil | | dfdatetime | https://github.com/log2timeline/dfdatetime/releases | | dfvfs | https://github.com/log2timeline/dfvfs/releases | | dfwinreg | https://github.com/log2timeline/dfwinreg/releases | | dpkt | https://pypi.python.org/pypi/dpkt | | google-apputils | https://pypi.python.org/pypi/google-apputils | | hachoir-core | https://bitbucket.org/haypo/hachoir/wiki/Install/source | | hachoir-parser | https://bitbucket.org/haypo/hachoir/wiki/Install/source | | hachoir-metadata | https://bitbucket.org/haypo/hachoir/wiki/Install/source | | pefile | https://github.com/erocarrera/pefile/releases | | psutil | https://pypi.python.org/pypi/psutil | | PyParsing | http://sourceforge.net/projects/pyparsing/files/ | 2.0.3 or later 2.x version | python-gflags | https://github.com/google/python-gflags/releases | | pytsk | https://github.com/py4n6/pytsk/releases | | pytz | https://pypi.python.org/pypi/pytz | | PyYAML | http://pyyaml.org/wiki/PyYAML | | pyzmq | https://pypi.python.org/pypi/pyzmq | Needs Cython to build | requests | https://github.com/kennethreitz/requests/releases | Make sure to click on: “Show # newer tags” | six | https://pypi.python.org/pypi/six#downloads | | yara-python | https://github.com/VirusTotal/yara-python | | XlsxWriter | https://github.com/jmcnamara/XlsxWriter/releases | |

  Building a MSI

  Setup.py allows you to easily build a MSI in most cases. This paragraph contains a generic description of building a MSI so we do not have to repeat this for every dependency.

  To build a MSI file from package-1.0.0.tar.gz run the following commands from the build root directory.

  First extract the package:

  tar zxvf package-1.0.0.tar.gz
  

  If you are not familiar with extracting tar files on Windows see: How to unpack a tar file in Windows

  Next change into the package source directory and have setup.py build a MSI:

  cd package-1.0.0\
  C:\Python27\python.exe setup.py bdist_msi
  

  This will create a MSI in the dist sub directory e.g.:

  dist\package-1.0.0.win32.msi
  

  Note that the actual MSI file name can vary per package.

  To install the MSI from the command line:

  msiexec.exe /i dist\package-1.0.0.win32.msi /q
  

  libyal

  The following instructions apply to the following dependencies:

  Name | Download URL | Comments | Dependencies — | — | — | — libbde | https://github.com/libyal/libbde | | libesedb | https://github.com/libyal/libesedb | | libevt | https://github.com/libyal/libevt | | libevtx | https://github.com/libyal/libevtx | | libewf | https://github.com/libyal/libewf-legacy | | zlib libfsntfs | https://github.com/libyal/libfsntfs | | libfvde | https://github.com/libyal/libfvde | | libfwnt | https://github.com/libyal/libfwnt | | libfwsi | https://github.com/libyal/libfwsi | | liblnk | https://github.com/libyal/liblnk | | libmsiecf | https://github.com/libyal/libmsiecf | | libolecf | https://github.com/libyal/libolecf | | libqcow | https://github.com/libyal/libqcow | | libregf | https://github.com/libyal/libregf | | libscca | https://github.com/libyal/libscca | | libsigscan | https://github.com/libyal/libsigscan | | libsmdev | https://github.com/libyal/libsmdev | | libsmraw | https://github.com/libyal/libsmraw | | libvhdi | https://github.com/libyal/libvhdi | | libvmdk | https://github.com/libyal/libvmdk | | libvshadow | https://github.com/libyal/libvshadow | |

  Install the following dependencies for building libyal:

  • zlib

  TODO: describe building dependencies.

  Since the build process for the libyal libraries is very similar, the following paragraph provides building libevt as an example. For more details see the build instructions of the individual projects e.g. https://github.com/libyal/libevt/wiki/Building.

  Note that there is also a script to batch build the libyal dependencies more information here: https://github.com/log2timeline/l2tdevtools/wiki/Build-script

  Example: libevt and Python-bindings

  Download the latest source package from: https://github.com/libyal/libevt/releases

  Extract the source package:

  tar xfv libevt-alpha-20131013.tar.gz
  

  Next change into the package source directory and have setup.py build a MSI:

  cd libevt-20131013
  C:\Python27\python.exe setup.py bdist_msi
  

  This will create a MSI in the dist sub directory e.g.:

  dist\pyevt-20131013.1.win32-py2.7.msi
  

  Install the MSI.

  pysqlite

  By default Python 2.7 comes with pysqlite 2.6.0 which works fine in combination with sqlite3 version 3.7.8.

  Follow the instructions below if you wish to update pysqlite to a newer version.

  Download the latest source package from: https://pypi.python.org/pypi/pysqlite

  TODO: describe what changes are necessary to get this working, DLL import and find the sqlite3.h include header.

  To build the MSI file run the following commands from the build root directory:

  tar xfv pysqlite-2.6.3.tar.gz
  cd pysqlite-2.6.3\
  cp ..\sqlite3\sqlite3.h src\
  cp ..\sqlite3\msvscpp\Release\sqlite3.dll .
  cp ..\sqlite3\msvscpp\Release\sqlite3.lib .
  C:\Python27\python.exe setup.py bdist_msi
  cd ..
  

  This will create a MSI in the dist sub directory e.g.:

  dist\pysqlite-2.6.3.win32.msi
  

  Remove:

  C:\Python27\DLL\sqlite3.dll
  C:\Python27\DLL\_sqlite3.pyd
  C:\Python27\Lib\sqlite3\
  

  Install the MSI.

  Copy sqlite3.dll to:

  C:\Python27\Lib\site-package\pysqlite2\
  

  pywin32

  Download the latest installer from: http://sourceforge.net/projects/pywin32/files/pywin32/

  SQLite

  Plaso requires at least sqlite3 version 3.7.8. By default Python 2.7 comes with a far older version that cannot handle newer FireFox sqlite3 database files.

  Download the latest source package from: http://www.sqlite.org/download.html

  E.g. sqlite-amalgamation-3080100.zip

  Extract the source package in the build root directory.

  Download the sqlite3 Visual Studio 2008 solution files.

  Extract the sqlite3 Visual Studio 2008 solution files in the sqlite-amalgamation source directory.

  Open the Microsoft Visual Studio 2008 solution file:

  C:\plaso-build\sqlite-amalgamation-3080100\msvscpp\sqlite3.sln
  

  Build the solution.

  If the build is successful copy the SQLite DLL to your Python installation:

  copy C:\plaso-build\sqlite-amalgamation-3080100\msvscpp\Release\sqlite3.dll C:\Python27\DLLs\
  

  Optional dependencies for output modules

  elasticsearch-py

  Download the latest source package from: https://github.com/elastic/elasticsearch-py

  TODO: describe

Getting Started

Once you’ve set up your development environment we recommend start simple:

How to write a parser plugin

Writing a parser plugin is different depending on which parser you’re writing a plugin for. Parsers that support plugins are:

• bencode
• cookie
• esedb
• olecf
• plist
• sqlite
• syslog
• winreg

How to write an analysis plugin

Create file and class

• Plugin file in plaso/analysis/
  • Create an empty subclass of plaso.analysis.interface.AnalysisPlugin
  • Register it with the analysis pluging by calling AnalysisPluginManager.RegisterPlugin
• Test file in tests/analysis/
  • Create an empty subclass of tests.analysis.test_lib.AnalysisPluginTestCase

Write minimal tests

• Write a test that loads your plugin
• It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if your code is doing what you expect.

Develop plugin

• Implement your subclass of plaso.analysis.interface.AnalysisPlugin
• You’ll need to define/override:
  • NAME
  • ExamineEvent()
  • CompileReport()
• You may also want to override:
  • URLS
  • ENABLE_IN_EXTRACTION, if your plugin is eligible to run while Plaso is extracting events.

Expand tests

• Add additional tests that test your plugin

Register classes

• Edit plaso/analysis/__init__.py to import your plugin in the correct alphabetical order.

Code review/submit

How to write an output module

Create file and class

• Plugin file in plaso/output/
  • Create an empty subclass of plaso.output.interface.OutputModule
  • Register it with the output module manager by calling OutputManager.RegisterOutput
• Test file in tests/output/
  • Create an empty subclass of tests.output.test_lib.OutputModuleTestCase

Write minimal tests

• Write a test that loads your output module.
• It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if your code is doing what you expect.

Develop plugin

• Implement your subclass of plaso.output.interface.OutputModule
• You’ll need to define/overwrite:
  • NAME
  • DESCRIPTION
  • WriteEventBody
• You may also want to override:
  • Open()
  • Close()
  • GetMissingArguments()
  • WriteHeader()
  • WriteEventStart()
  • WriteEventEnd()
  • WriteEventMACBGroup()
  • WriteFooter()

Expand tests

• Add additional tests that test your plugin

Register classes

• Edit plaso/output/__init__.py to import your plugin in the correct alphabetical order.

Code review/submit

Design

Overview of the general architecture of plaso:

Internals

TODO update the information on this page

Plaso is built with the following roles in mind.

• Preprocessing
• Collection
• Extraction (Worker)
• Storage

Each front-end may decide to run all of these roles in a single thread, multi-thread or on multiple computers.

Also see: Architecture overview

Preprocessing

This role needs to be run prior to all other processing. The purpose of this role is to go over an image or a mount point and determine which OS it belongs to and collect important information that can be used to both augment parsing and make it more accurate. Examples of what the pre-processing process should collect:

• Timezone information.
• Enumerate all users and their paths.
• Hostname.
• Default applications, as in default browser, etc.
• OS specific items that make future processing simpler (as in current control set in registry, code page used, etc.)

Collection

The purpose of the collection role is to go over the image, directory or mount point and find all files that the tool can process. This process should try to limit memory usage and processing since it’s purpose is to be quicker than the workers, that is that it can detect and fill the processing queue quicker than the workers emptying it.

The collection process gets a bit more complex when dealing with VSS snapshots, since that requires some processing to limit dual processing of files that have not changed between snapshots.

• In essence the collection can be divided into three different scenarios:
• In it’s simplest term just “take everything” the collection process recursively goes through either a mount point or an image file and collects every file discovered.
• During recursive scan if VSS are to be parsed a hash is calculated based on the four timestamps of every file and during the collection phase from the VSS image the hash value is compared to already existing hashes for that file. If the file has not previously been collected it is included, otherwise it is skipped.
• Targeted collection: a set of file paths is defined and the tool only collects the files that fit that pattern.

Extraction

This is the main work horse of the application. The worker, or workers take care of monitoring the process queue and then process each file that gets in there. Processing a file means:

• Classify it (as in determine which file type this is).
• Determine if there are parsers that are potentially capable of parsing it.
• Run the file through those parsers and extract all events from it.
• If there is a filter defined send that event through the filter (discard event if it does not pass through the filter).
• Send extracted events to the storage queue.
• Determine if this file contains other files within it that can be processed/extracted, and process them as well, e.g. files within compressed containers, etc.

Storage

The storage role takes care of reading events from the storage queue, filling up a buffer and then flushing that buffer to a disk.

The storage portion of the tool also serves as an API to the storage file for later processing and extracting events from the storage file. The storage library takes care of parsing metadata structures stored inside the storage file, tagging and grouping information and to extract fully sorted events out of the storage.

Roadmap

A high level roadmap can be found here. Individual features are tracked as a github issue and labeled as “enhancement”. A list of features can be found here.

Contributing Code

Want to add a parser to plaso and you are ready to go? Start by checking here if someone is already working on it. If you don’t see anything there you can just go ahead and create an issue on the github site and mark it as “enhancement”. Assign the issue to yourself so that we can keep track on who is working on what.

If you cannot program and still have a great idea for a feature please go ahead and create an issue and leave it unassigned, note that the priority will be who ever wants to work on it. Or consider this the idea opportunity to learn yourself Python programming.

Before you start writing the code, please review the following:

• Style guide. All code submitted to the project needs to follow this style guide.
• Code review. All code that is submitted into the project needs to be reviewed by at least one other person.
• Adding a new dependency. If your code requires adding a new dependency please check out these instructions.

Before you submit your first code review

1. Join the development mailing list: log2timeline-dev@googlegroups.com, we recommend using the same account as step 1
2. Install the required development tools like pylint, python-mock, sphinx
3. Make sure to run all the tests inside the plaso and the dfVFS codebase, and that they successfully complete on your development system
4. Make sure your development system is set up correctly so that you can develop and test correctly.
5. Make sure your email address and name are correctly set in git e.g.:

git config --global user.name "Full Name"
git config --global user.email name@example.com
git config --global push.default matching

Use git config -l to determine the current configuration.

Core features changes

Sometimes you need to make some change to the core of the plaso codebase. In those cases we ask that contributors first create a short design doc explaining the rationale behind the change. The design doc needs to contain:

1. Describe the problem you are facing
2. List the objectives of this change
3. Mention what is in scope and what’s not
4. Describe the solution/proposal

The preferred way of creating these design docs is to use Google Docs and send the link to the development mailing list so that it can be discussed further before starting to implement the code.

The current design docs are stored here. You may not have access to that folder, so you may need to request access to it.

Tests

Tests are part of a maintainable code base. Code without sufficient test is very likely to be broken by a large rewrite/refactor.

Some guidelines for writing tests: Style guide - tests

Code Review

All code submitted into the plaso project goes through code review. We use the GitHub codereview process, which while not perfect, is good enough for our purposes.

One helpful hint is while you have a code in code review monitor the development mailing list for large changes or new dependencies that may potentially affect your code. Such changes may include code re-factors that change plugin interface while you have a plugin in review. These should be rare but they do happen every now and then.

Rationale

To keep the code base maintainable and readable all code is developed using a similar coding style. See the style guide. This makes the code easier to maintain and understand.

The purpose of the code review is to ensure that:

• at least two eyes looked over the code in hopes of finding potential bugs or errors (before they become bugs and errors). This also improves the overall code quality.
• make sure the code adheres to the style guide (we do have a linter but that is not perfect).
• review design decisions and if needed assist with making the code more optimal or error tolerant.

The short version:

don’t be intimidated.

The longer version:

One language is not the same as another, you might are fluent in C or Perl that does not mean the same for Python. You might have just started programming while others have been doing this for years. Our challenge is having a code base that is accessible and sufficiently uniform to most of you.

Also don’t be intimidated by rewrites/refactors, which often feels the code base is changing under your feet. We have to make sure the code base is maintainable and a necessary evil there is to regular reshape and clean up things to get new features in.

We continuously try to improve the code base, including making things and easier and quicker to write which sometimes means that the way you just learned might already superseded by another. We try to keep the documentation up to date but this will sometimes be after you ran into an issue.

First time contributors may come across the fact that the code review process actually takes quite a long time, with lots of back and forth comments. You may think that you are wasting the core developers time, but rest assured you are not. We look at this as an investment of building up good solid code contributors. We would like to make sure our contributors understand the code and the style guide and will make suggestions to the contributor to fix what we think needs improving. Despite spending potentially more time to begin with to get code submitted into the project we believe this investment in code review will result in better code submissions and increased proficiency of the contributor.

Therefore we would like to ask people to hang on, to get through the code review process and try to learn something while going through it. Rest assured, it will get easier next time and even easier the time after that, and before you know it you can contribute code to the project with little to no comments.

And if things are unclear, don’t hesitate to ask. The developer mailing list is: log2timeline-dev@googlegroups.com

Why not use reviewable.io?

We have looked at reviewable.io and our current assessment is that it looks very nice but does not make for a very functional User Interface/Experience. It also convolutes the git commit history.

Referencing github issues

If your changes relate to a specific github issue add the issue number as following:

Added serializers profiler #120

Where the “#120” is a reference to issue number 120.

Updating the code review

During the code review process you’ll be asked to change few things, that is the reviewer will add comments. Please follow the following guideline during the code review process:

• Answer ALL comments made in the code review, even if it is only an ACK or “Done”.
  • It is also necessary to publish the comments, otherwise the reviewer doesn’t see the answers.
  • On the codereview site hit “m” for “Publish+Mail Comments” so that the review gets updated alongside the newly updated code.
• Make the necessary changes to the code, as suggested by the reviewer.

The update process continues until the reviewer thinks the code is good enough to be submitted into the project.

Style Guide

We primarily follow the Google Python Style Guide.

Various Plaso specific additions/variations are:

Indentation

• Indent your code blocks with 2 spaces (not 4 as in the style guide).
• In the case of a hanging indent, use four spaces (according to the style guide).

Naming

• Use full English words everywhere. For example, use Event not Evt and Description not Desc.
• Acronyms and initialisms should be preserved, such as HTMLParser and not HtmlParser.
• Method and function names follow the following logic (overriding the Google Python Style Guide):

Type | Public | Internal —- | —- | —- Functions | CapWords() | **_CapWords()** (protected) and **__CapWords()** (private)

Unused function or method arguments

Prefix unused function or method arguments with unused_.

Strings

• Quote strings as ‘ or “”” and not “
  • Quote strings in command line arguments (argparse) as “
• Textual strings should be Unicode strings.
  • Use the use the unicode_literals module to make all strings unicode by default.
• Use the format() function instead of the %-style of formatting strings.
  • Use positional or parameter format specifiers with typing e.g. ‘{0:s}’ or ‘{text:s}’ instead of ‘{0}’, ‘{}’ or ‘{:s}’. If we ever want to have language specific output strings we don’t need to change the entire codebase (again). It also makes is easier in determining what type every parameter is expected to be.

Exceptions

• When catching exceptions use “as exception:” not some alternative form like “as error:” or “as details:”
• Raise exceptions like this: raise MyException('Error message') or raise MyException.
• Although Python allows for try ... except ... else we prefer not to use it.
• Make exception messages as useful and descriptive and possible. For example, if the an argument is out of an acceptable range, print the invalid value to speed-up debugging.

Return statements

Per PEP8: “Be consistent in return statements. Either all return statements in a function should return an expression, or none of them should. If any return statement returns an expression, any return statements where no value is returned should explicitly state this as return None, and an explicit return statement should be present at the end of the function (if reachable).”

• Use return None instead of return when your function or method is expected to return a value.
• Do not use return None in generators.
• Use return in function or method that does not return a value.

Docstrings

• Use English, and avoid abbreviations. Use “for example” or “such as” instead of Latin abbreviations like “e.g.”.
• We use “Google Style” docstrings see the examples at this page as well as the notes below.

There are still a few legacy docstrings in the codebase, here are some examples you might see. Please don’t write new code that looks like this:

def AddAnalysisReport(self, analysis_report):
    """Adds an analysis report.
    
    Args:
      analysis_report: a report.
    """

This is missing an important detail, the argument type. Is it a string? Some other sort of object? How about this:

def AddAnalysisReport(self, analysis_report):
    """Adds an analysis report.
    
    Args:
      analysis_report: an analysis report object (instance of AnalysisReport)
    """

This is overly verbose, and is hard to parse.

Instead do:

def AddAnalysisReport(self, analysis_report, storage_writer=None):
    """Adds an analysis report.
    
    Args:
      analysis_report (AnalysisReport): a report.
      storage_writer (Optional[StorageWriter]): the storage writer must be open, 
          and cannot be closed. If no storage_writer is provided, a new writer 
          will be created.
    """

Make sure your arguments descriptions include:

1. They argument(s) type(s);
2. In case of standard types a description of their format. Note that we use the Python 3 standard types;
3. Description of the meaning of the argument. In other words how the argument is used by the function (or method). If the description exceeds the line limit, indent the next line with 4 spaces.

The meaning can be left out if the functions has a few arguments and how the argument is used is obvious from the description as in the example of AddAnalysisReport.

A few other tips:

Compound types

If a function deals with a compound type (list, dict), document it like so:

Args:
  constraints (dict[str, Filter]): constraint name mapped to the filter that implements the constraint.

Returns:
  list[BaseParser]: all relevant parsers.

Multiple acceptable types

If you need to specify multiple types, use a pipe to separate them. For example:

Args:
  path (str|Path): path to tag file.

Multiple return types

Python simulates multiple arguments being returned by implicitly returning a tuple. Document like so:

...
Returns:
  tuple: containing:
     
    str: parser name
    BaseParser: next parser parser
""""
return name, parser

Special arguments

Arguments like cls, self, *args, **kwargs are not expected to be explicitly named in the Args: section.

  def CopyToIsoFormat(cls, timestamp, timezone=pytz.UTC, raise_error=False):
    """Copies the timestamp to an ISO 8601 formatted string.

    Args:
      timestamp (int): number of micro seconds since January 1, 1970, 00:00:00 UTC.
      timezone (Optional[pytz.timezone]): the result string will be expressed in this timezone.
      raise_error (Optional[bool]): False if OverflowError should be caught when timestamp is out of bounds.

    Returns:
      str: ISO 8601 formatted date and time.
    """

Class attributes

In addition to the Google Python Style Guide please sort class attribute alphabetically by name.

class SampleClass(object):
  """Summary of class here.

  Attributes:
      eggs (int): number of eggs we have laid.
      likes_spam (bool): whether we like SPAM or not.
  """

Constructor

In addition to the Google Python Style Guide please sort instance attribute alphabetically by name inside the constructor (__init__).

class SampleClass(object):
  """Summary of class here."""

  def __init__(self):
    """Summary of method here."""
    self.__private_attribute = None
    self._another_protected_attribute = None
    self._protected_attribute = None
    self.another_public_attribute = None
    self.public_attribute = None

Keyword arguments

In addition to the Google Python Style Guide please sort keyword arguments alphabetically by name.

def SampleFunction(alternate=None, keyword=None):
  """Summary of function here.

  Args:
      alternate (Optional[str]): alternate keyword argument.
      keyword (Optional[str]): keyword argument.
  """

Make sure to call keyword argument with their keyword prefix.

SampleFunction(keyword='THEKEY')

Unit tests

• use self.assertEqual instead of self.assertEquals, same applies to self.assertNotEquals
• use self.assertIsNone(variable) instead of self.assertEqual(variable, None), same applies to self.assertNotEqual

Other

• Avoid the use of global variables.
• Use class methods in preference to static methods
  • Use “cls” as the name of the class variable in preference to “klass”
• Use textual pylint overrides e.g. “# pylint: disable=no-self-argument” instead of “# pylint: disable=E0213”. For a list of overrides see: http://docs.pylint.org/features.html
• Tags for events need to be strings containing only alphanumeric characters or underscores. One of the reasons for this is better compatibility with other tool, such as TimeSketch.
• All new Plaso code needs to be compatible with both Python 3.4+ and Python 2.7+. Plaso’s Python 3 Guide has some more detail about compatibility issues, and the pylint configuration will also flag some issues.

Source files

At the start your source files define the encoding, which should be UTF-8, e.g.:

# -*- coding: utf-8 -*-

Also see: PEP 0263

Linting

Plaso uses pylint 1.7.x to enforce some additional best practices to keep the source code more readable. These are:

• Limit the maximum number of arguments for function or method to 10

Tests

• Use as much as possible the test functions available in the local test_lib.py instead of writing your own test functions. If you think a test function is missing please add it, or mail the developer list to see if you can someone else to do it.
• Use self.CheckTimestamp for testing timestamp values.

Common test code should be stored in “test library” files, e.g. the parser test library:

tests/parsers/test_lib.py

We do this for various reasons:

• to remove code duplication in “boiler plate” test code;
• to make the tests more uniform in both look-and-feel but also what is tested;
• improve test coverage;
• isolate core functionality from tests to prevent some future core changes affecting the parsers and plugins too much.

Rationale

To keep the code base maintainable and readable all code is developed using a similar coding style. It ensures:

• the code is easy to maintain and understand. As a developer you’ll sometimes find yourself thinking WTF, what is the code supposed to do here. So it is really important point that you need to be able to come back to code 5 months later and still quickly understand what it supposed to be doing. Also for other people that want to contribute it is necessary that they need to be able to quickly understand the code. Be that said, quick-and-dirty solutions might work when you’re working on a case, but we’ll ban them from the code base.
• that every developer knows to (largely) expect the same coding style.

We’ve noticed that some people find the process of having a style guide and a code review process intimidating. We’ve also noticed that once people get used to it and have gone through the process few times they are generally thankful and learn quite a lot during the process, so bear with us.

Having a unified style makes it much easier to maintain the codebase. That means that every developer should be able to make changes in any file in the codebase without worrying about different code styles.

And if things are unclear, don’t hesitate to ask. The developer mailing list is: log2timeline-dev@googlegroups.com

How to write a parser

Introduction

This page is intended to give you an introduction into developing a parser for plaso.

• First a step-by-step example is provided to create a simple binary parser for the Safari Cookies.binarycookies file.
• At bottom are some common troubleshooting tips that others have run into before you.

This page assumes you have at least a basic understanding of programming in Python and use of git.

Format

Before you can write a binary file parser you will need to have a good understanding of the file format. A description of the Safari Cookies.binarycookies format can be found here.

Parsers vs. Plugins

Before starting work on a parser, check if Plaso already has a parser that handles the underlying format of the file you’re parsing. Plaso currently supports plugins for the following file formats:

• Bencode
• Web Browser Cookies
• ESEDB
• OLECF
• Plist
• SQLite
• Syslog
• Windows Registry

If the artifact you’re trying to parse is in one of these formats, you need to write a plugin of the appropriate type, rather than a parser.

For our example, however, the Safari Cookies.binarycookies file is in its own binary format, so a separate parser is appropriate.

Test data

First we make a representative test file and add it to the test_data/ directory, in our example:

test_data/Cookies.binarycookies

Make sure that the test file does not contain sensitive or copyrighted material.

Parsers, formatters, events and event data

• parser; subclass of plaso.parsers.interface.FileObjectParser, that extracts events from the content of a file.
• formatter (or event formatter); subclass of plaso.formatters.interface.EventFormatter, that generates a human readable description of the event data.
• event; subclass of plaso.containers.events.EventObject, that represents an event
• event data; subclass of plaso.containers.events.EventData, that represents data related to the event.

Writing the parser

Registering the parser

Add an import for the parser to:

plaso/parsers/__init__.py

from plaso.parsers import safari_cookies

When plaso.parsers is imported this will load the safari_cookies module (safari_cookies.py).

The parser class BinaryCookieParser is registered using manager.ParsersManager.RegisterParser(BinaryCookieParser).

plaso/parsers/safari_cookies.py

# -*- coding: utf-8 -*-
"""Parser for Safari Binary Cookie files."""

from plaso.parsers import interface
from plaso.parsers import manager


class BinaryCookieParser(interface.FileObjectParser):
  """Parser for Safari Binary Cookie files."""

  NAME = u'binary_cookies'
  DESCRIPTION = u'Parser for Safari Binary Cookie files.'

  def ParseFileObject(self, parser_mediator, file_object, **kwargs):
    """Parses a Safari binary cookie file-like object.

    Args:
      parser_mediator (ParserMediator): parser mediator.
      file_object (dfvfs.FileIO): file-like object to be parsed.

    Raises:
      UnableToParseFile: when the file cannot be parsed, this will signal
          the event extractor to apply other parsers.
    """
    ...


manager.ParsersManager.RegisterParser(BinaryCookieParser)

• NAME
• DESCRIPTION

Writing the event formatter

plaso/formatters/safari_cookies.py

plaso package

Subpackages

plaso.analysis package

Submodules

plaso.analysis.browser_search module

A plugin that extracts browser history from events.

class plaso.analysis.browser_search.BrowserSearchPlugin

Bases: plaso.analysis.interface.AnalysisPlugin

Analyze browser search entries from events.

CompileReport(mediator)

Compiles an analysis report.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:analysis report. Return type:AnalysisReport

ENABLE_IN_EXTRACTION = False

ExamineEvent(mediator, event)

Analyzes an event.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event to examine.

NAME = 'browser_search'

class plaso.analysis.browser_search.SEARCH_OBJECT(time, source, engine, search_term)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

static __new__(time, source, engine, search_term)

Create new instance of SEARCH_OBJECT(time, source, engine, search_term)

__repr__()

Return a nicely formatted representation string

engine

Alias for field number 2

search_term

Alias for field number 3

source

Alias for field number 1

time

Alias for field number 0

plaso.analysis.chrome_extension module

A plugin that gather extension IDs from Chrome history browser.

class plaso.analysis.chrome_extension.ChromeExtensionPlugin

Bases: plaso.analysis.interface.AnalysisPlugin

Convert Chrome extension IDs into names, requires Internet connection.

CompileReport(mediator)

Compiles an analysis report.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:analysis report. Return type:AnalysisReport

ENABLE_IN_EXTRACTION = True

ExamineEvent(mediator, event)

Analyzes an event.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event to examine.

NAME = 'chrome_extension'

plaso.analysis.definitions module

This file contains the definitions for analysis plugins.

plaso.analysis.file_hashes module

A plugin to generate a list of unique hashes and paths.

class plaso.analysis.file_hashes.FileHashesPlugin

Bases: plaso.analysis.interface.AnalysisPlugin

A plugin for generating a list of file paths and corresponding hashes.

CompileReport(mediator)

Compiles an analysis report.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:report. Return type:AnalysisReport

ENABLE_IN_EXTRACTION = True

ExamineEvent(mediator, event)

Analyzes an event and creates extracts hashes as required.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event to examine.

NAME = 'file_hashes'

plaso.analysis.interface module

This file contains the interface for analysis plugins.

class plaso.analysis.interface.AnalysisPlugin

Bases: object

Class that defines the analysis plugin interface.

CompileReport(mediator)

Compiles a report of the analysis.

After the plugin has received every copy of an event to analyze this function will be called so that the report can be assembled.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:report. Return type:AnalysisReport

ENABLE_IN_EXTRACTION = False

ExamineEvent(mediator, event)

Analyzes an event object.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event.

NAME = 'analysis_plugin'

URLS = []

plugin_name

str – name of the plugin.

class plaso.analysis.interface.HTTPHashAnalyzer(hash_queue, hash_analysis_queue, **kwargs)

Bases: plaso.analysis.interface.HashAnalyzer

Interface for hash analysis plugins that use HTTP(S)

Analyze(hashes)

Analyzes a list of hashes.

Parameters:hashes (list[str]) – hashes to look up. Returns:analysis results. Return type:list[HashAnalysis]

MakeRequestAndDecodeJSON(url, method, **kwargs)

Make a HTTP request and decode the results as JSON.

Parameters:

• url (str) – URL to make a request to.
• method (str) – HTTP method to used to make the request. GET and POST are supported.
• kwargs – parameters to the requests .get() or post() methods, depending on the value of the method parameter.

Returns:

body of the HTTP response, decoded from JSON.

Return type:

dict[str, object]

Raises:

• ConnectionError – If it is not possible to connect to the given URL, or it the request returns a HTTP error.
• ValueError – If an invalid HTTP method is specified.

class plaso.analysis.interface.HashAnalysis(subject_hash, hash_information)

Bases: object

Analysis information about a hash.

hash_information

object – object containing information about the hash.

subject_hash

str – hash that was analyzed.

class plaso.analysis.interface.HashAnalyzer(hash_queue, hash_analysis_queue, hashes_per_batch=1, lookup_hash='sha256', wait_after_analysis=0)

Bases: threading.Thread

Class that defines the interfaces for hash analyzer threads.

This interface should be implemented once for each hash analysis plugin.

analyses_performed

int – number of analysis batches completed by this analyzer.

hashes_per_batch

int – maximum number of hashes to analyze at once.

lookup_hash

str – name of the hash attribute to look up.

seconds_spent_analyzing

int – number of seconds this analyzer has spent performing analysis (as opposed to waiting on queues, etc.)

wait_after_analysis

int – number of seconds the analyzer will sleep for after analyzing a batch of hashes.

Analyze(hashes)

Analyzes a list of hashes.

Parameters:hashes (list[str]) – list of hashes to look up. Returns:list of results of analyzing the hashes. Return type:list[HashAnalysis]

EMPTY_QUEUE_WAIT_TIME = 4

SUPPORTED_HASHES = []

SetLookupHash(lookup_hash)

Sets the hash to query.

Parameters:lookup_hash (str) – name of the hash attribute to look up. Raises:ValueError – if the lookup hash is not supported.

SignalAbort()

Instructs this analyzer to stop running.

run()

The method called by the threading library to start the thread.

class plaso.analysis.interface.HashTaggingAnalysisPlugin(analyzer_class)

Bases: plaso.analysis.interface.AnalysisPlugin

An interface for plugins that tag events based on the source file hash.

An implementation of this class should be paired with an implementation of the HashAnalyzer interface.

hash_analysis_queue

Queue.queue – queue that contains the results of analysis of file hashes.

hash_queue

Queue.queue – queue that contains file hashes.

CompileReport(mediator)

Compiles an analysis report.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:report. Return type:AnalysisReport

DATA_TYPES = []

DEFAULT_QUEUE_TIMEOUT = 4

EstimateTimeRemaining()

Estimates how long until all hashes have been analyzed.

Returns:estimated number of seconds until all hashes have been analyzed. Return type:int

ExamineEvent(mediator, event)

Evaluates whether an event contains the right data for a hash lookup.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event.

GenerateLabels(hash_information)

Generates a list of strings to tag events with.

Parameters:hash_information (object) – object that mediates the result of the analysis of a hash, as returned by the Analyze() method of the analyzer class associated with this plugin. Returns:list of labels to apply to events. Return type:list[str]

SECONDS_BETWEEN_STATUS_LOG_MESSAGES = 30

SetLookupHash(lookup_hash)

Sets the hash to query.

Parameters:lookup_hash (str) – name of the hash attribute to look up.

plaso.analysis.logger module

The analysis sub module logger.

plaso.analysis.manager module

This file contains the analysis plugin manager class.

class plaso.analysis.manager.AnalysisPluginManager

Bases: object

Analysis plugin manager.

classmethod DeregisterPlugin(plugin_class)

Deregisters an analysis plugin class.

The analysis plugin classes are identified by their lower case name.

Parameters:plugin_class (type) – class of the analysis plugin. Raises:KeyError – if an analysis plugin class is not set for the corresponding name.

classmethod GetAllPluginInformation(show_all=True)

Retrieves a list of the registered analysis plugins.

Parameters:show_all (Optional[bool]) – True if all analysis plugin names should be listed. Returns:

the name, docstring and type string of each

analysis plugin in alphabetical order.

Return type:list[tuple[str, str, str]]

classmethod GetPluginNames()

Retrieves the analysis plugin names.

Returns:analysis plugin names. Return type:list[str]

classmethod GetPluginObjects(plugin_names)

Retrieves the plugin objects.

Parameters:plugin_names (list[str]) – names of plugins that should be retrieved. Returns:analysis plugins per name. Return type:dict[str, AnalysisPlugin]

classmethod GetPlugins()

Retrieves the registered analysis plugin classes.

Yields:

tuple –

containing:

str: name of the plugin type: plugin class

classmethod RegisterPlugin(plugin_class)

Registers an analysis plugin class.

Then analysis plugin classes are identified based on their lower case name.

Parameters:plugin_class (type) – class of the analysis plugin. Raises:KeyError – if an analysis plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)

Registers analysis plugin classes.

The analysis plugin classes are identified based on their lower case name.

Parameters:plugin_classes (list[type]) – classes of the analysis plugin. Raises:KeyError – if an analysis plugin class is already set for the corresponding name.

plaso.analysis.mediator module

The analysis plugin mediator object.

class plaso.analysis.mediator.AnalysisMediator(storage_writer, knowledge_base, data_location=None)

Bases: object

Analysis plugin mediator.

last_activity_timestamp

int – timestamp received that indicates the last time activity was observed. The last activity timestamp is updated when the mediator produces an attribute container, such as an event tag. This timestamp is used by the multi processing worker process to indicate the last time the worker was known to be active. This information is then used by the foreman to detect workers that are not responding (stalled).

number_of_produced_analysis_reports

int – number of produced analysis reports.

number_of_produced_event_tags

int – number of produced event tags.

GetDisplayNameForPathSpec(path_spec)

Retrieves the display name for a path specification.

Parameters:path_spec (dfvfs.PathSpec) – path specification. Returns:human readable version of the path specification. Return type:str

GetUsernameForPath(path)

Retrieves a username for a specific path.

This is determining if a specific path is within a user’s directory and returning the username of the user if so.

Parameters:path (str) – path. Returns:

username or None if the path does not appear to be within a user’s

directory.

Return type:str

ProduceAnalysisReport(plugin)

Produces an analysis report.

Parameters:plugin (AnalysisPlugin) – plugin.

ProduceEventTag(event_tag)

Produces an event tag.

Parameters:event_tag (EventTag) – event tag.

SignalAbort()

Signals the analysis plugins to abort.

abort

bool – True if the analysis should be aborted.

data_location

str – path to the data files.

operating_system

str – operating system or None if not set.

plaso.analysis.nsrlsvr module

Analysis plugin to look up files in nsrlsvr and tag events.

class plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin

Bases: plaso.analysis.interface.HashTaggingAnalysisPlugin

Analysis plugin for looking up hashes in nsrlsvr.

DATA_TYPES = ['fs:stat', 'fs:stat:ntfs']

GenerateLabels(hash_information)

Generates a list of strings that will be used in the event tag.

Parameters:hash_information (bool) – whether the analyzer received a response from nsrlsvr indicating that the hash was present in its loaded NSRL set. Returns:strings describing the results from nsrlsvr. Return type:list[str]

NAME = 'nsrlsvr'

SetHost(host)

Sets the address or hostname of the server running nsrlsvr.

Parameters:host (str) – IP address or hostname to query.

SetLabel(label)

Sets the tagging label.

Parameters:label (str) – label to apply to events extracted from files that are present in nsrlsvr.

SetPort(port)

Sets the port where nsrlsvr is listening.

Parameters:port (int) – port to query.

TestConnection()

Tests the connection to nsrlsvr.

Returns:True if nsrlsvr instance is reachable. Return type:bool

URLS = ['https://rjhansen.github.io/nsrlsvr/']

class plaso.analysis.nsrlsvr.NsrlsvrAnalyzer(hash_queue, hash_analysis_queue, **kwargs)

Bases: plaso.analysis.interface.HashAnalyzer

Analyzes file hashes by consulting an nsrlsvr instance.

analyses_performed

int – number of analysis batches completed by this analyzer.

hashes_per_batch

int – maximum number of hashes to analyze at once.

seconds_spent_analyzing

int – number of seconds this analyzer has spent performing analysis (as opposed to waiting on queues, etc.)

wait_after_analysis

int – number of seconds the analyzer will sleep for after analyzing a batch of hashes.

Analyze(hashes)

Looks up hashes in nsrlsvr.

Parameters:hashes (list[str]) – hash values to look up. Returns:analysis results, or an empty list on error. Return type:list[HashAnalysis]

SUPPORTED_HASHES = ['md5', 'sha1']

SetHost(host)

Sets the address or hostname of the server running nsrlsvr.

Parameters:host (str) – IP address or hostname to query.

SetPort(port)

Sets the port where nsrlsvr is listening.

Parameters:port (int) – port to query.

TestConnection()

Tests the connection to nsrlsvr.

Checks if a connection can be set up and queries the server for the MD5 of an empty file and expects a response. The value of the response is not checked.

Returns:True if nsrlsvr instance is reachable. Return type:bool

plaso.analysis.sessionize module

A plugin to tag events according to rules in a tag file.

class plaso.analysis.sessionize.SessionizeAnalysisPlugin

Bases: plaso.analysis.interface.AnalysisPlugin

Analysis plugin that labels events by session.

CompileReport(mediator)

Compiles an analysis report.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:analysis report. Return type:AnalysisReport

ENABLE_IN_EXTRACTION = False

ExamineEvent(mediator, event)

Analyzes an EventObject and tags it as part of a session.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event to examine.

NAME = 'sessionize'

SetMaximumPause(maximum_pause_minutes)

Sets the maximum pause interval between events to consider a session.

Parameters:maximum_pause_minutes (int) – maximum gap between events that are part of the same session, in minutes.

plaso.analysis.tagging module

A plugin to tag events according to rules in a tagging file.

class plaso.analysis.tagging.TaggingAnalysisPlugin

Bases: plaso.analysis.interface.AnalysisPlugin

Analysis plugin that tags events according to rules in a tagging file.

CompileReport(mediator)

Compiles an analysis report.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:analysis report. Return type:AnalysisReport

ENABLE_IN_EXTRACTION = True

ExamineEvent(mediator, event)

Analyzes an EventObject and tags it according to rules in the tag file.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event to examine.

NAME = 'tagging'

SetAndLoadTagFile(tagging_file_path)

Sets the tag file to be used by the plugin.

Parameters:tagging_file_path (str) – path of the tagging file.

plaso.analysis.unique_domains_visited module

A plugin to generate a list of domains visited.

class plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPlugin

Bases: plaso.analysis.interface.AnalysisPlugin

A plugin to generate a list all domains visited.

This plugin will extract domains from browser history events extracted by Plaso. The list produced can be used to quickly determine if there has been a visit to a site of interest, for example, a known phishing site.

CompileReport(mediator)

Compiles an analysis report.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:the analysis report. Return type:AnalysisReport

ENABLE_IN_EXTRACTION = True

ExamineEvent(mediator, event)

Analyzes an event and extracts domains from it.

We only evaluate straightforward web history events, not visits which can be inferred by TypedURLs, cookies or other means.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event to examine.

NAME = 'unique_domains_visited'

plaso.analysis.viper module

Analysis plugin to look up files in Viper and tag events.

class plaso.analysis.viper.ViperAnalysisPlugin

Bases: plaso.analysis.interface.HashTaggingAnalysisPlugin

An analysis plugin for looking up SHA256 hashes in Viper.

DATA_TYPES = ['pe:compilation:compilation_time']

GenerateLabels(hash_information)

Generates a list of strings that will be used in the event tag.

Parameters:hash_information (dict[str, object]) – JSON decoded contents of the result of a Viper lookup, as produced by the ViperAnalyzer. Returns:list of labels to apply to events. Return type:list[str]

NAME = 'viper'

SetHost(host)

Sets the address or hostname of the server running Viper server.

Parameters:host (str) – IP address or hostname to query.

SetPort(port)

Sets the port where Viper server is listening.

Parameters:port (int) – port to query.

SetProtocol(protocol)

Sets the protocol that will be used to query Viper.

Parameters:protocol (str) – protocol to use to query Viper. Either ‘http’ or ‘https’. Raises:ValueError – If an invalid protocol is selected.

TestConnection()

Tests the connection to the Viper server.

Returns:True if the Viper server instance is reachable. Return type:bool

URLS = ['https://viper.li']

class plaso.analysis.viper.ViperAnalyzer(hash_queue, hash_analysis_queue, **kwargs)

Bases: plaso.analysis.interface.HTTPHashAnalyzer

Class that analyzes file hashes by consulting Viper.

REST API reference:

https://viper-framework.readthedocs.org/en/latest/usage/web.html#api

Analyze(hashes)

Looks up hashes in Viper using the Viper HTTP API.

Parameters:hashes (list[str]) – hashes to look up. Returns:hash analysis. Return type:list[HashAnalysis] Raises:RuntimeError – If no host has been set for Viper.

SUPPORTED_HASHES = ['md5', 'sha256']

SUPPORTED_PROTOCOLS = ['http', 'https']

SetHost(host)

Sets the address or hostname of the server running Viper server.

Parameters:host (str) – IP address or hostname to query.

SetPort(port)

Sets the port where Viper server is listening.

Parameters:port (int) – port to query.

SetProtocol(protocol)

Sets the protocol that will be used to query Viper.

Parameters:protocol (str) – protocol to use to query Viper. Either ‘http’ or ‘https’. Raises:ValueError – if the protocol is not supported.

TestConnection()

Tests the connection to the Viper server.

Returns:True if the Viper server instance is reachable. Return type:bool

plaso.analysis.virustotal module

Analysis plugin to look up files in VirusTotal and tag events.

class plaso.analysis.virustotal.VirusTotalAnalysisPlugin

Bases: plaso.analysis.interface.HashTaggingAnalysisPlugin

An analysis plugin for looking up hashes in VirusTotal.

DATA_TYPES = ['pe:compilation:compilation_time']

EnableFreeAPIKeyRateLimit()

Configures Rate limiting for queries to VirusTotal.

The default rate limit for free VirusTotal API keys is 4 requests per minute.

GenerateLabels(hash_information)

Generates a list of strings that will be used in the event tag.

Parameters:hash_information (dict[str, object]) – the JSON decoded contents of the result of a VirusTotal lookup, as produced by the VirusTotalAnalyzer. Returns:strings describing the results from VirusTotal. Return type:list[str]

NAME = 'virustotal'

SetAPIKey(api_key)

Sets the VirusTotal API key to use in queries.

Parameters:api_key (str) – VirusTotal API key

TestConnection()

Tests the connection to VirusTotal

Returns:True if VirusTotal is reachable. Return type:bool

URLS = ['https://virustotal.com']

class plaso.analysis.virustotal.VirusTotalAnalyzer(hash_queue, hash_analysis_queue, **kwargs)

Bases: plaso.analysis.interface.HTTPHashAnalyzer

Class that analyzes file hashes by consulting VirusTotal.

Analyze(hashes)

Looks up hashes in VirusTotal using the VirusTotal HTTP API.

The API is documented here:

https://www.virustotal.com/en/documentation/public-api/

Parameters:hashes (list[str]) – hashes to look up. Returns:analysis results. Return type:list[HashAnalysis] Raises:RuntimeError – If the VirusTotal API key has not been set.

SUPPORTED_HASHES = ['md5', 'sha1', 'sha256']

SetAPIKey(api_key)

Sets the VirusTotal API key to use in queries.

Parameters:api_key (str) – VirusTotal API key

TestConnection()

Tests the connection to VirusTotal

Returns:True if VirusTotal is reachable. Return type:bool

plaso.analysis.windows_services module

A plugin to enable quick triage of Windows Services.

class plaso.analysis.windows_services.WindowsServiceCollection

Bases: object

Class to hold and de-duplicate Windows Services.

AddService(new_service)

Add a new service to the list of ones we know about.

Parameters:new_service (WindowsService) – the service to add.

services

list[WindowsService] – services in this collection.

class plaso.analysis.windows_services.WindowsServicesAnalysisPlugin

Bases: plaso.analysis.interface.AnalysisPlugin

Provides a single list of for Windows services found in the Registry.

CompileReport(mediator)

Compiles an analysis report.

Parameters:mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns:report. Return type:AnalysisReport

ENABLE_IN_EXTRACTION = True

ExamineEvent(mediator, event)

Analyzes an event and creates Windows Services as required.

At present, this method only handles events extracted from the Registry.

Parameters:

• mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
• event (EventObject) – event to examine.

NAME = 'windows_services'

SetOutputFormat(output_format)

Sets the output format of the generated report.

Parameters:output_format (str) – The format the the plugin should used to produce its output.

Module contents

This file imports Python modules that register analysis plugins.

plaso.analyzers package

Subpackages

plaso.analyzers.hashers package

Submodules

plaso.analyzers.hashers.interface module

The hasher interface.

class plaso.analyzers.hashers.interface.BaseHasher

Bases: object

Base class for objects that calculate hashes.

DESCRIPTION = 'Calculates a digest hash over input data.'

GetBinaryDigest()

Retrieves the digest of the hash function as a binary string.

Returns:

binary hash digest calculated over the data blocks passed to

Update().

Return type:bytes

GetStringDigest()

Retrieves the digest of the hash function expressed as a Unicode string.

Returns:

string hash digest calculated over the data blocks passed to

Update(). The string consists of printable Unicode characters.

Return type:str

NAME = 'base_hasher'

Update(data)

Updates the current state of the hasher with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters:data (bytes) – data with which to update the context of the hasher.

plaso.analyzers.hashers.manager module

This file contains a class for managing digest hashers for Plaso.

class plaso.analyzers.hashers.manager.HashersManager

Bases: object

Class that implements the hashers manager.

classmethod DeregisterHasher(hasher_class)

Deregisters a hasher class.

The hasher classes are identified based on their lower case name.

Parameters:hasher_class (type) – class object of the hasher. Raises:KeyError – if hasher class is not set for the corresponding name.

classmethod GetHasher(hasher_name)

Retrieves an instance of a specific hasher.

Parameters:hasher_name (str) – the name of the hasher to retrieve. Returns:hasher. Return type:BaseHasher Raises:KeyError – if hasher class is not set for the corresponding name.

classmethod GetHasherClasses(hasher_names=None)

Retrieves the registered hashers.

Parameters:

hasher_names (list[str]) – names of the hashers to retrieve.

Yields:

tuple –

containing:

str: parser name type: next hasher class.

classmethod GetHasherNames()

Retrieves the names of all loaded hashers.

Returns:hasher names. Return type:list[str]

classmethod GetHasherNamesFromString(hasher_names_string)

Retrieves a list of a hasher names from a comma separated string.

Takes a string of comma separated hasher names transforms it to a list of hasher names.

Parameters:hasher_names_string (str) – comma separated names of hashers to enable, the string ‘all’ to enable all hashers or ‘none’ to disable all hashers. Returns:

names of valid hashers from the string, or an empty list if no

valid names are found.

Return type:list[str]

classmethod GetHashers(hasher_names)

Retrieves instances for all the specified hashers.

Parameters:hasher_names (list[str]) – names of the hashers to retrieve. Returns:hashers. Return type:list[BaseHasher]

classmethod GetHashersInformation()

Retrieves the hashers information.

Returns:containing:

str: hasher name. str: hasher description.

Return type:list[tuple]

classmethod RegisterHasher(hasher_class)

Registers a hasher class.

The hasher classes are identified based on their lower case name.

Parameters:hasher_class (type) – class object of the hasher. Raises:KeyError – if hasher class is already set for the corresponding name.

plaso.analyzers.hashers.md5 module

The MD5 hasher implementation.

class plaso.analyzers.hashers.md5.MD5Hasher

Bases: plaso.analyzers.hashers.interface.BaseHasher

This class provides MD5 hashing functionality.

DESCRIPTION = 'Calculates an MD5 digest hash over input data.'

GetBinaryDigest()

Returns the digest of the hash function as a binary string.

Returns:

binary string hash digest calculated over the data blocks passed to

Update().

Return type:bytes

GetStringDigest()

Returns the digest of the hash function expressed as a Unicode string.

Returns:

string hash digest calculated over the data blocks passed to

Update(). The string consists of printable Unicode characters.

Return type:str

NAME = 'md5'

Update(data)

Updates the current state of the hasher with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters:data (bytes) – block of data with which to update the context of the hasher.

plaso.analyzers.hashers.sha1 module

The SHA-1 Hasher implementation

class plaso.analyzers.hashers.sha1.SHA1Hasher

Bases: plaso.analyzers.hashers.interface.BaseHasher

This class provides SHA-1 hashing functionality.

DESCRIPTION = 'Calculates a SHA-1 digest hash over input data.'

GetBinaryDigest()

Returns the digest of the hash function as a binary string.

Returns:

binary string hash digest calculated over the data blocks passed to

Update().

Return type:bytes

GetStringDigest()

Returns the digest of the hash function expressed as a Unicode string.

Returns:

string hash digest calculated over the data blocks passed to

Update(). The string consists of printable Unicode characters.

Return type:str

NAME = 'sha1'

Update(data)

Updates the current state of the hasher with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters:data (bytes) – block of data with which to update the context of the hasher.

plaso.analyzers.hashers.sha256 module

The SHA-256 Hasher implementation

class plaso.analyzers.hashers.sha256.SHA256Hasher

Bases: plaso.analyzers.hashers.interface.BaseHasher

This class provides SHA-256 hashing functionality.

DESCRIPTION = 'Calculates a SHA-256 digest hash over input data.'

GetBinaryDigest()

Returns the digest of the hash function as a binary string.

Returns:

binary string hash digest calculated over the data blocks passed to

Update().

Return type:bytes

GetStringDigest()

Returns the digest of the hash function expressed as a Unicode string.

Returns:

string hash digest calculated over the data blocks passed to

Update(). The string consists of printable Unicode characters.

Return type:str

NAME = 'sha256'

Update(data)

Updates the current state of the hasher with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters:data (bytes) – block of data with which to update the context of the hasher.

Module contents

This file imports Python modules that register hashers.

Submodules

plaso.analyzers.hashing_analyzer module

The hashing analyzer implementation.

class plaso.analyzers.hashing_analyzer.HashingAnalyzer

Bases: plaso.analyzers.interface.BaseAnalyzer

This class contains code for calculating file hashes of input files.

Analyze(data)

Updates the internal state of the analyzer, processing a block of data.

Repeated calls are equivalent to a single call with the concatenation of all the arguments.

Parameters:data (bytes) – block of data from the data stream.

DESCRIPTION = 'Calculates hashes of file content.'

GetResults()

Retrieves the hashing results.

Returns:results. Return type:list[AnalyzerResult]

INCREMENTAL_ANALYZER = True

NAME = 'hashing'

PROCESSING_STATUS_HINT = 'hashing'

Reset()

Resets the internal state of the analyzer.

SetHasherNames(hasher_names_string)

Sets the hashers that should be enabled.

Parameters:hasher_names_string (str) – comma separated names of hashers to enable.

plaso.analyzers.interface module

Definitions to provide a whole-file processing framework.

class plaso.analyzers.interface.BaseAnalyzer

Bases: object

Class that provides the interface for whole-file analysis.

Analyze(data)

Analyzes a block of data, updating the state of the analyzer

Parameters:data (bytes) – block of data to process.

DESCRIPTION = ''

GetResults()

Retrieves the results of the analysis.

Returns:results. Return type:list[AnalyzerResult]

INCREMENTAL_ANALYZER = False

NAME = 'base_analyzer'

PROCESSING_STATUS_HINT = 'analyzing'

Reset()

Resets the internal state of the analyzer.

SIZE_LIMIT = 33554432

plaso.analyzers.logger module

The analyzers sub module logger.

plaso.analyzers.manager module

This file contains a class for managing digest analyzers for Plaso.

class plaso.analyzers.manager.AnalyzersManager

Bases: object

Class that implements the analyzers manager.

classmethod DeregisterAnalyzer(analyzer_class)

Deregisters a analyzer class.

The analyzer classes are identified based on their lower case name.

Parameters:analyzer_class (type) – class object of the analyzer. Raises:KeyError – if analyzer class is not set for the corresponding name.

classmethod GetAnalyzerInstance(analyzer_name)

Retrieves an instance of a specific analyzer.

Parameters:analyzer_name (str) – name of the analyzer to retrieve. Returns:analyzer instance. Return type:BaseAnalyzer Raises:KeyError – if analyzer class is not set for the corresponding name.

classmethod GetAnalyzerInstances(analyzer_names)

Retrieves instances for all the specified analyzers.

Parameters:analyzer_names (list[str]) – names of the analyzers to retrieve. Returns:analyzer instances. Return type:list[BaseAnalyzer]

classmethod GetAnalyzerNames()

Retrieves the names of all loaded analyzers.

Returns:of analyzer names. Return type:list[str]

classmethod GetAnalyzers()

Retrieves the registered analyzers.

Yields:

tuple –

containing:

str: the uniquely identifying name of the analyzer type: the analyzer class.

classmethod GetAnalyzersInformation()

Retrieves the analyzers information.

Returns:containing:

str: analyzer name. str: analyzer description.

Return type:list[tuple]

classmethod RegisterAnalyzer(analyzer_class)

Registers a analyzer class.

The analyzer classes are identified by their lower case name.

Parameters:analyzer_class (type) – the analyzer class to register. Raises:KeyError – if analyzer class is already set for the corresponding name.

plaso.analyzers.yara_analyzer module

Analyzer that matches Yara rules.

class plaso.analyzers.yara_analyzer.YaraAnalyzer

Bases: plaso.analyzers.interface.BaseAnalyzer

Analyzer that matches Yara rules.

Analyze(data)

Analyzes a block of data, attempting to match Yara rules to it.

Parameters:data (bytes) – a block of data.

DESCRIPTION = 'Matches Yara rules over input data.'

GetResults()

Retrieves results of the most recent analysis.

Returns:results. Return type:list[AnalyzerResult]

INCREMENTAL_ANALYZER = False

NAME = 'yara'

PROCESSING_STATUS_HINT = 'yara scan'

Reset()

Resets the internal state of the analyzer.

SetRules(rules_string)

Sets the rules that the Yara analyzer will use.

Parameters:rules_string (str) – Yara rule definitions

Module contents

This file imports Python modules that register analyzers.

plaso.cli package

Subpackages

plaso.cli.helpers package

Submodules

plaso.cli.helpers.analysis_plugins module

The analysis plugins CLI arguments helper.

class plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Analysis plugins CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Analysis plugins command line arguments.'

NAME = 'analysis_plugins'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.artifact_definitions module

The artifact definitions CLI arguments helper.

class plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Artifact definition CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Artifact definition command line arguments.'

NAME = 'artifact_definitions'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

• BadConfigObject – when the configuration object is of the wrong type.
• BadConfigOption – if the required artifact definitions are not defined.

plaso.cli.helpers.artifact_filters module

The artifacts filter file CLI arguments helper.

class plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Artifacts filter file CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Artifact filters command line arguments.'

NAME = 'artifact_filters'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

• BadConfigObject – when the configuration object is of the wrong type.
• BadConfigOption – if the required artifact definitions are not defined.

plaso.cli.helpers.data_location module

The data location CLI arguments helper.

class plaso.cli.helpers.data_location.DataLocationArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Data location CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Data location command line arguments.'

NAME = 'data_location'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.database_config module

The database configuration CLI arguments helper.

class plaso.cli.helpers.database_config.DatabaseArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Database configuration CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Argument helper for a database configuration.'

NAME = 'database_config'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (OutputModule) – output module to configure.

Raises:

BadConfigObject – when the output module object does not have the SetCredentials or SetDatabaseName methods.

plaso.cli.helpers.date_filters module

The date filters CLI arguments helper.

class plaso.cli.helpers.date_filters.DateFiltersArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Date filters CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Date filters command line arguments.'

NAME = 'date_filters'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.dynamic_output module

The dynamic output module CLI arguments helper.

class plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Dynamic output module CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the dynamic output module.'

NAME = 'dynamic'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (OutputModule) – output module to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when the output filename was not provided.

plaso.cli.helpers.elastic_output module

The Elastic Search output module CLI arguments helper.

class plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Elastic Search output module CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the Elastic Search output modules.'

NAME = 'elastic'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (OutputModule) – output module to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

class plaso.cli.helpers.elastic_output.ElasticSearchServerArgumentsHelper

Bases: plaso.cli.helpers.server_config.ServerArgumentsHelper

Elastic Search server CLI arguments helper.

plaso.cli.helpers.event_filters module

The event filters CLI arguments helper.

class plaso.cli.helpers.event_filters.EventFiltersArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Event filters CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Event filters command line arguments.'

NAME = 'event_filters'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

• BadConfigObject – when the configuration object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.extraction module

The extraction CLI arguments helper.

class plaso.cli.helpers.extraction.ExtractionArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Extraction CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Extraction command line arguments.'

NAME = 'extraction'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.filter_file module

The filter file CLI arguments helper.

class plaso.cli.helpers.filter_file.FilterFileArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Filter file CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Filter file command line arguments.'

NAME = 'filter_file'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.hashers module

The hashers CLI arguments helper.

class plaso.cli.helpers.hashers.HashersArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Hashers CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Hashers command line arguments.'

NAME = 'hashers'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

• BadConfigObject – when the configuration object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.interface module

The arguments helper interface.

class plaso.cli.helpers.interface.ArgumentsHelper

Bases: object

CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = ''

DESCRIPTION = ''

NAME = 'baseline'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (object) – object to be configured by the argument helper.

Raises:

• BadConfigObject – when the configuration object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.language module

The language CLI arguments helper.

class plaso.cli.helpers.language.LanguageArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Language CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Language command line arguments.'

NAME = 'language'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.manager module

The CLI arguments helper manager objects.

class plaso.cli.helpers.manager.ArgumentHelperManager

Bases: object

Class that implements the CLI argument helper manager.

classmethod AddCommandLineArguments(argument_group, category=None, names=None)

Adds command line arguments to a configuration object.

Parameters:

• argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.
• category (Optional[str]) – category of helpers to apply to the group, such as storage, output, where None will apply the arguments to all helpers. The category can be used to add arguments to a specific group of registered helpers.
• names (Optional[list[str]]) – names of argument helpers to apply, where None will apply the arguments to all helpers.

classmethod DeregisterHelper(helper_class)

Deregisters a helper class.

The helper classes are identified based on their lower case name.

Parameters:helper_class (type) – class object of the argument helper. Raises:KeyError – if helper class is not set for the corresponding name.

classmethod ParseOptions(options, config_object, category=None, names=None)

Parses and validates arguments using the appropriate helpers.

Parameters:

• options (argparse.Namespace) – parser options.
• config_object (object) – object to be configured by an argument helper.
• category (Optional[str]) – category of helpers to apply to the group, such as storage, output, where None will apply the arguments to all helpers. The category can be used to add arguments to a specific group of registered helpers.
• names (Optional[list[str]]) – names of argument helpers to apply, where None will apply the arguments to all helpers.

classmethod RegisterHelper(helper_class)

Registers a helper class.

The helper classes are identified based on their lower case name.

Parameters:helper_class (type) – class object of the argument helper. Raises:KeyError – if helper class is already set for the corresponding name.

classmethod RegisterHelpers(helper_classes)

Registers helper classes.

The helper classes are identified based on their lower case name.

Parameters:helper_classes (list[type]) – class objects of the argument helpers. Raises:KeyError – if helper class is already set for the corresponding name.

plaso.cli.helpers.mysql_4n6time_output module

The 4n6time MySQL database output module CLI arguments helper.

class plaso.cli.helpers.mysql_4n6time_output.MySQL4n6TimeDatabaseArgumentsHelper

Bases: plaso.cli.helpers.database_config.DatabaseArgumentsHelper

4n6time MySQL database server CLI arguments helper.

class plaso.cli.helpers.mysql_4n6time_output.MySQL4n6TimeOutputArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

4n6time MySQL database output module CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the 4n6Time MySQL output module.'

NAME = '4n6time_mysql'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (OutputModule) – output module to configure.

Raises:

BadConfigObject – when the output module object is of the wrong type.

plaso.cli.helpers.nsrlsvr_analysis module

The nsrlsvr analysis plugin CLI arguments helper.

class plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Nsrlsvr analysis plugin CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – group to append arguments to.

CATEGORY = 'analysis'

DESCRIPTION = 'Argument helper for the nsrlsvr analysis plugin.'

NAME = 'nsrlsvr'

classmethod ParseOptions(options, analysis_plugin)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options object.
• analysis_plugin (NsrlsvrAnalysisPlugin) – analysis plugin to configure.

Raises:

• BadConfigObject – when the analysis plugin is the wrong type.
• BadConfigOption – when unable to connect to nsrlsvr instance.

plaso.cli.helpers.output_modules module

The output modules CLI arguments helper.

class plaso.cli.helpers.output_modules.OutputModulesArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Output modules CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Output modules command line arguments.'

NAME = 'output_modules'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.parsers module

The parsers CLI arguments helper.

class plaso.cli.helpers.parsers.ParsersArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Parsers CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Parsers command line arguments.'

NAME = 'parsers'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.process_resources module

The process resources CLI arguments helper.

class plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Process resources CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Process resources command line arguments.'

NAME = 'process_resources'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

• BadConfigObject – when the configuration object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.profiling module

The profiling CLI arguments helper.

class plaso.cli.helpers.profiling.ProfilingArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Profiling CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DEFAULT_PROFILING_SAMPLE_RATE = 1000

DESCRIPTION = 'Profiling command line arguments.'

NAME = 'profiling'

PROFILERS_INFORMATION = {'memory': 'Profile memory usage over time', 'parsers': 'Profile CPU time per parser', 'processing': 'Profile CPU time of processing phases', 'serializers': 'Profile CPU time of serialization', 'storage': 'Profile storage reads and writes', 'task_queue': 'Profile task queue status (multi-processing only)', 'tasks': 'Profile the status of tasks (multi-processing only)'}

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.server_config module

The server configuration CLI arguments helper.

class plaso.cli.helpers.server_config.ServerArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Server configuration CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Argument helper for a server configuration.'

NAME = 'server_config'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (OutputModule) – output module to configure.

Raises:

BadConfigObject – when the output module object does not have the SetServerInformation method.

plaso.cli.helpers.sessionize_analysis module

The sessionize analysis plugin CLI arguments helper.

class plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Sessionize analysis plugin CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'analysis'

DESCRIPTION = 'Argument helper for the Sessionize analysis plugin.'

NAME = 'sessionize'

classmethod ParseOptions(options, analysis_plugin)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• analysis_plugin (OutputModule) – analysis_plugin to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.shared_4n6time_output module

The 4n6time output modules shared CLI arguments helper.

class plaso.cli.helpers.shared_4n6time_output.Shared4n6TimeOutputArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

4n6time output modules shared CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'output'

DESCRIPTION = 'Argument helper for shared 4n6Time output modules.'

NAME = '4n6time'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (OutputModule) – output module to configure.

Raises:

BadConfigObject – when the output module object is of the wrong type.

plaso.cli.helpers.sqlite_4n6time_output module

The 4n6time SQLite database output module CLI arguments helper.

class plaso.cli.helpers.sqlite_4n6time_output.SQLite4n6TimeOutputArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

4n6time SQLite database output module CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the 4n6Time SQLite output module.'

NAME = '4n6time_sqlite'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (OutputModule) – output module to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when the output filename was not provided.

plaso.cli.helpers.status_view module

The status view CLI arguments helper.

class plaso.cli.helpers.status_view.StatusViewArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Status view CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Status view command line arguments.'

NAME = 'status_view'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.storage_file module

The storage file CLI arguments helper.

class plaso.cli.helpers.storage_file.StorageFileArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Storage file CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Storage file command line arguments.'

NAME = 'storage_file'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.storage_format module

The storage format CLI arguments helper.

class plaso.cli.helpers.storage_format.StorageFormatArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Storage format CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Storage format command line arguments.'

NAME = 'storage_format'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

• BadConfigObject – when the configuration object is of the wrong type.
• BadConfigOption – if the storage format is not defined or supported.

plaso.cli.helpers.tagging_analysis module

The tagging analysis plugin CLI arguments helper.

class plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Tagging analysis plugin CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'analysis'

DESCRIPTION = 'Argument helper for the Tagging analysis plugin.'

NAME = 'tagging'

classmethod ParseOptions(options, analysis_plugin)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• analysis_plugin (AnalysisPlugin) – analysis plugin to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.temporary_directory module

The temporary directory CLI arguments helper.

class plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Temporary directory CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Temporary directory command line arguments.'

NAME = 'temporary_directory'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.text_prepend module

The text prepend CLI arguments helper.

class plaso.cli.helpers.text_prepend.TextPrependArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Text prepend CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Text prepend command line arguments.'

NAME = 'text_prepend'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.timesketch_output module

The Timesketch output module CLI arguments helper.

class plaso.cli.helpers.timesketch_output.TimesketchOutputArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Timesketch output module CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the timesketch output module.'

NAME = 'timesketch'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (TimesketchOutputModule) – output module to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.viper_analysis module

The Viper analysis plugin CLI arguments helper.

class plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Viper analysis plugin CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'analysis'

DESCRIPTION = 'Argument helper for the Viper analysis plugin.'

NAME = 'viper'

classmethod ParseOptions(options, analysis_plugin)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• analysis_plugin (ViperAnalysisPlugin) – analysis plugin to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when unable to connect to Viper instance.

plaso.cli.helpers.virustotal_analysis module

The VirusTotal analysis plugin CLI arguments helper.

class plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

VirusTotal analysis plugin CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'analysis'

DESCRIPTION = 'Argument helper for the VirusTotal analysis plugin.'

NAME = 'virustotal'

classmethod ParseOptions(options, analysis_plugin)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• analysis_plugin (VirusTotalAnalysisPlugin) – analysis plugin to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation or when unable to connect to VirusTotal.

plaso.cli.helpers.windows_services_analysis module

The Windows Services analysis plugin CLI arguments helper.

class plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Windows Services analysis plugin CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'analysis'

DESCRIPTION = 'Argument helper for the Windows Services analysis plugin.'

NAME = 'windows_services'

classmethod ParseOptions(options, analysis_plugin)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• analysis_plugin (WindowsServicePlugin) – analysis plugin to configure.

Raises:

BadConfigObject – when the output module object is of the wrong type.

plaso.cli.helpers.workers module

The worker processes CLI arguments helper.

class plaso.cli.helpers.workers.WorkersArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

Worker processes CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Worker processes command line arguments.'

NAME = 'workers'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

• BadConfigObject – when the configuration object is of the wrong type.
• BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.xlsx_output module

The XLSX output module CLI arguments helper.

class plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

XLSX output module CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments the helper supports to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the XLSX output module.'

NAME = 'xlsx'

classmethod ParseOptions(options, output_module)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• output_module (XLSXOutputModule) – output module to configure.

Raises:

• BadConfigObject – when the output module object is of the wrong type.
• BadConfigOption – when the output filename was not provided.

plaso.cli.helpers.yara_rules module

The YARA rules CLI arguments helper.

class plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

YARA rules CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'YARA rules command line arguments.'

NAME = 'yara_rules'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.zeromq module

The ZeroMQ CLI arguments helper.

class plaso.cli.helpers.zeromq.ZeroMQArgumentsHelper

Bases: plaso.cli.helpers.interface.ArgumentsHelper

ZeroMQ CLI arguments helper.

classmethod AddArguments(argument_group)

Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

Parameters:argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'ZeroMQ command line arguments.'

NAME = 'zeromq'

classmethod ParseOptions(options, configuration_object)

Parses and validates options.

Parameters:

• options (argparse.Namespace) – parser options.
• configuration_object (CLITool) – object to be configured by the argument helper.

Raises:

BadConfigObject – when the configuration object is of the wrong type.

Module contents

This file imports Python modules that register CLI helpers.

Submodules

plaso.cli.extraction_tool module

The extraction CLI tool.

class plaso.cli.extraction_tool.ExtractionTool(input_reader=None, output_writer=None)

Bases: plaso.cli.storage_media_tool.StorageMediaTool, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.ParsersOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions

Extraction CLI tool.

AddPerformanceOptions(argument_group)

Adds the performance options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

AddProcessingOptions(argument_group)

Adds the processing options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

plaso.cli.image_export_tool module

The image export CLI tool.

class plaso.cli.image_export_tool.ImageExportTool(input_reader=None, output_writer=None)

Bases: plaso.cli.storage_media_tool.StorageMediaTool

Class that implements the image export CLI tool.

has_filters

bool – True if filters have been specified via the options.

list_signature_identifiers

bool – True if information about the signature identifiers should be shown.

AddFilterOptions(argument_group)

Adds the filter options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = 'This is a simple collector designed to export files inside an image, both within a regular RAW image as well as inside a VSS. The tool uses a collection filter that uses the same syntax as a targeted plaso filter.'

EPILOG = 'And that is how you export files, plaso style.'

ListSignatureIdentifiers()

Lists the signature identifier.

Raises:BadConfigOption – if the data location is invalid.

NAME = 'image_export'

ParseArguments()

Parses the command line arguments.

Returns:True if the arguments were successfully parsed. Return type:bool

ParseOptions(options)

Parses the options and initializes the front-end.

Parameters:options (argparse.Namespace) – command line arguments. Raises:BadConfigOption – if the options are invalid.

PrintFilterCollection()

Prints the filter collection.

ProcessSources()

Processes the sources.

Raises:

• SourceScannerError – if the source scanner could not find a supported file system.
• UserAbort – if the user initiated an abort.

plaso.cli.log2timeline_tool module

The log2timeline CLI tool.

class plaso.cli.log2timeline_tool.Log2TimelineTool(input_reader=None, output_writer=None)

Bases: plaso.cli.extraction_tool.ExtractionTool

Log2timeline CLI tool.

dependencies_check

bool – True if the availability and versions of dependencies should be checked.

list_hashers

bool – True if the hashers should be listed.

list_parsers_and_plugins

bool – True if the parsers and plugins should be listed.

list_profilers

bool – True if the profilers should be listed.

show_info

bool – True if information about hashers, parsers, plugins, etc. should be shown.

DESCRIPTION = '\nlog2timeline is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device.\n\nMore information can be gathered from here:\n https://github.com/log2timeline/plaso/wiki/Using-log2timeline\n'

EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n log2timeline.py /cases/mycase/storage.plaso ímynd.dd\n\nInstead of answering questions, indicate some of the options on the\ncommand line (including data from particular VSS stores).\n log2timeline.py -o 63 --vss_stores 1,2 /cases/plaso_vss.plaso image.E01\n\nAnd that is how you build a timeline using log2timeline...\n'

ExtractEventsFromSources()

Processes the sources and extracts events.

Raises:

• BadConfigOption – if the storage file path is invalid or the storage format not supported.
• SourceScannerError – if the source scanner could not find a supported file system.
• UserAbort – if the user initiated an abort.

NAME = 'log2timeline'

ParseArguments()

Parses the command line arguments.

Returns:True if the arguments were successfully parsed. Return type:bool

ParseOptions(options)

Parses the options.

Parameters:options (argparse.Namespace) – command line arguments. Raises:BadConfigOption – if the options are invalid.

ShowInfo()

Shows information about available hashers, parsers, plugins, etc.

plaso.cli.logger module

The cli sub module logger.

plaso.cli.pinfo_tool module

The pinfo CLI tool.

class plaso.cli.pinfo_tool.PinfoTool(input_reader=None, output_writer=None)

Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.StorageFileOptions

Pinfo CLI tool.

CompareStores()

Compares the contents of two stores.

Returns:True if the content of the stores is identical. Return type:bool

DESCRIPTION = 'Shows information about a Plaso storage file, for example how it was collected, what information was extracted from a source, etc.'

NAME = 'pinfo'

ParseArguments()

Parses the command line arguments.

Returns:True if the arguments were successfully parsed. Return type:bool

ParseOptions(options)

Parses the options.

Parameters:options (argparse.Namespace) – command line arguments. Raises:BadConfigOption – if the options are invalid.

PrintStorageInformation()

Prints the storage information.

plaso.cli.psort_tool module

The psort CLI tool.

class plaso.cli.psort_tool.PsortTool(input_reader=None, output_writer=None)

Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.AnalysisPluginOptions, plaso.cli.tool_options.OutputModuleOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions

Psort CLI tool.

list_analysis_plugins

bool – True if information about the analysis plugins should be shown.

list_language_identifiers

bool – True if information about the language identifiers should be shown.

list_output_modules

bool – True if information about the output modules should be shown.

list_profilers

bool – True if the profilers should be listed.

AddProcessingOptions(argument_group)

Adds processing options to the argument group

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = 'Application to read, filter and process output from a plaso storage file.'

NAME = 'psort'

ParseArguments()

Parses the command line arguments.

Returns:True if the arguments were successfully parsed. Return type:bool

ParseOptions(options)

Parses the options.

Parameters:options (argparse.Namespace) – command line arguments. Raises:BadConfigOption – if the options are invalid.

ProcessStorage()

Processes a plaso storage file.

Raises:

• BadConfigOption – when a configuration parameter fails validation.
• RuntimeError – if a non-recoverable situation is encountered.

plaso.cli.psteal_tool module

The psteal CLI tool.

class plaso.cli.psteal_tool.PstealTool(input_reader=None, output_writer=None)

Bases: plaso.cli.extraction_tool.ExtractionTool, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.OutputModuleOptions, plaso.cli.tool_options.ParsersOptions, plaso.cli.tool_options.StorageFileOptions

Psteal CLI tool.

Psteal extract events from the provided source and stores them in an intermediate storage file. After extraction an output log file is created. This mimics the behaviour of the log2timeline.pl. The tool currently doesn’t support any of the log2timeline or psort tools’ flags.

dependencies_check

bool – True if the availability and versions of dependencies should be checked.

list_hashers

bool – True if the hashers should be listed.

list_language_identifiers

bool – True if information about the language identifiers should be shown.

list_output_modules

bool – True if information about the output modules should be shown.

list_parsers_and_plugins

bool – True if the parsers and plugins should be listed.

AnalyzeEvents()

Analyzes events from a plaso storage file and generate a report.

Raises:

• BadConfigOption – when a configuration parameter fails validation.
• RuntimeError – if a non-recoverable situation is encountered.

DESCRIPTION = '\npsteal is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device. The output events will be stored in a storage file.\nThis tool will then read the output and process the events into a CSV \nfile.\n\nMore information can be gathered from here:\n https://github.com/log2timeline/plaso/wiki/Using-log2timeline\n'

EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n psteal.py --source ímynd.dd -w imynd.timeline.txt\n\nAnd that is how you build a timeline using psteal...\n'

ExtractEventsFromSources()

Processes the sources and extract events.

This is a stripped down copy of tools/log2timeline.py that doesn’t support the full set of flags. The defaults for these are hard coded in the constructor of this class.

Raises:

• BadConfigOption – if the storage format is not supported.
• SourceScannerError – if the source scanner could not find a supported file system.
• UserAbort – if the user initiated an abort.

NAME = 'psteal'

ParseArguments()

Parses the command line arguments.

Returns:True if the arguments were successfully parsed. Return type:bool

ParseOptions(options)

Parses tool specific options.

Parameters:options (argparse.Namespace) – command line arguments. Raises:BadConfigOption – if the options are invalid.

plaso.cli.status_view module

The status view.

class plaso.cli.status_view.StatusView(output_writer, tool_name)

Bases: object

Processing status view.

GetAnalysisStatusUpdateCallback()

Retrieves the analysis status update callback function.

Returns:status update callback function or None. Return type:function

GetExtractionStatusUpdateCallback()

Retrieves the extraction status update callback function.

Returns:status update callback function or None. Return type:function

MODE_LINEAR = 'linear'

MODE_WINDOW = 'window'

PrintExtractionStatusHeader(processing_status)

Prints the extraction status header.

Parameters:processing_status (ProcessingStatus) – processing status.

PrintExtractionSummary(processing_status)

Prints a summary of the extraction.

Parameters:processing_status (ProcessingStatus) – processing status.

SetMode(mode)

Sets the mode.

Parameters:mode (str) – status view mode.

SetSourceInformation(source_path, source_type, artifact_filters=None, filter_file=None)

Sets the source information.

Parameters:

• source_path (str) – path of the source.
• source_type (str) – source type.
• artifact_filters (Optional[str]) – names of artifact defintions to use as filters.
• filter_file (Optional[str]) – filter file.

SetStorageFileInformation(storage_file_path)

Sets the storage file information.

Parameters:storage_file_path (str) – path to the storage file.

plaso.cli.storage_media_tool module

The storage media CLI tool.

class plaso.cli.storage_media_tool.StorageMediaTool(input_reader=None, output_writer=None)

Bases: plaso.cli.tools.CLITool

Class that implements a storage media CLI tool.

AddCredentialOptions(argument_group)

Adds the credential options to the argument group.

The credential options are use to unlock encrypted volumes.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

AddStorageMediaImageOptions(argument_group)

Adds the storage media image options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

AddVSSProcessingOptions(argument_group)

Adds the VSS processing options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

ScanSource(source_path)

Scans the source path for volume and file systems.

This function sets the internal source path specification and source type values.

Parameters:source_path (str) – path to the source. Returns:source scanner context. Return type:dfvfs.SourceScannerContext Raises:SourceScannerError – if the format of or within the source is not supported.

plaso.cli.time_slices module

The time slice.

class plaso.cli.time_slices.TimeSlice(event_timestamp, duration=5)

Bases: object

Time slice.

The time slice is used to provide a context of events around an event of interest.

duration

int – duration of the time slice in minutes.

event_timestamp

int – event timestamp of the time slice or None.

end_timestamp

int – slice end timestamp or None.

start_timestamp

int – slice start timestamp or None.

plaso.cli.tool_options module

The CLI tool options mix-ins.

class plaso.cli.tool_options.AnalysisPluginOptions

Bases: object

Analysis plugin options mix-in.

ListAnalysisPlugins()

Lists the analysis modules.

class plaso.cli.tool_options.HashersOptions

Bases: object

Hashers options mix-in.

ListHashers()

Lists information about the available hashers.

class plaso.cli.tool_options.OutputModuleOptions

Bases: object

Output module options mix-in.

ListLanguageIdentifiers()

Lists the language identifiers.

ListOutputModules()

Lists the output modules.

class plaso.cli.tool_options.ParsersOptions

Bases: object

Parsers options mix-in.

ListParsersAndPlugins()

Lists information about the available parsers and plugins.

class plaso.cli.tool_options.ProfilingOptions

Bases: object

Profiling options mix-in.

ListProfilers()

Lists information about the available profilers.

class plaso.cli.tool_options.StorageFileOptions

Bases: object

Storage file options mix-in.

plaso.cli.tools module

The CLI tools classes.

class plaso.cli.tools.CLIInputReader(encoding='utf-8')

Bases: object

CLI input reader interface.

Read()

Reads a string from the input.

Returns:input. Return type:str

class plaso.cli.tools.CLIOutputWriter(encoding='utf-8')

Bases: object

CLI output writer interface.

Write(string)

Writes a string to the output.

Parameters:string (str) – output.

class plaso.cli.tools.CLITool(input_reader=None, output_writer=None)

Bases: object

CLI tool.

list_timezones

bool – True if the time zones should be listed.

preferred_encoding

str – preferred encoding of single-byte or multi-byte character strings, sometimes referred to as extended ASCII.

AddBasicOptions(argument_group)

Adds the basic options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

AddInformationalOptions(argument_group)

Adds the informational options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

AddLogFileOptions(argument_group)

Adds the log file option to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

AddTimeZoneOption(argument_group)

Adds the time zone option to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

GetCommandLineArguments()

Retrieves the command line arguments.

Returns:command line arguments. Return type:str

ListTimeZones()

Lists the timezones.

NAME = ''

ParseNumericOption(options, name, base=10, default_value=None)

Parses a numeric option.

If the option is not set the default value is returned.

Parameters:

• options (argparse.Namespace) – command line arguments.
• name (str) – name of the numeric option.
• base (Optional[int]) – base of the numeric value.
• default_value (Optional[object]) – default value.

Returns:

numeric value.

Return type:

int

Raises:

BadConfigOption – if the options are invalid.

ParseStringOption(options, argument_name, default_value=None)

Parses a string command line argument.

Parameters:

• options (argparse.Namespace) – command line arguments.
• argument_name (str) – name of the command line argument.
• default_value (Optional[object]) – default value of the command line argument.

Returns:

command line argument value. If the command line argument is

not set the default value will be returned.

Return type:

object

Raises:

BadConfigOption – if the command line argument value cannot be converted to a Unicode string.

PrintSeparatorLine()

Prints a separator line.

class plaso.cli.tools.FileObjectInputReader(file_object, encoding='utf-8')

Bases: plaso.cli.tools.CLIInputReader

File-like object input reader.

This input reader relies on the file-like object having a readline method.

Read()

Reads a string from the input.

Returns:input. Return type:str

class plaso.cli.tools.FileObjectOutputWriter(file_object, encoding='utf-8')

Bases: plaso.cli.tools.CLIOutputWriter

File-like object output writer.

This output writer relies on the file-like object having a write method.

Write(string)

Writes a string to the output.

Parameters:string (str) – output.

class plaso.cli.tools.StdinInputReader(encoding='utf-8')

Bases: plaso.cli.tools.FileObjectInputReader

Stdin input reader.

class plaso.cli.tools.StdoutOutputWriter(encoding='utf-8')

Bases: plaso.cli.tools.FileObjectOutputWriter

Stdout output writer.

Write(string)

Writes a string to the output.

Parameters:string (str) – output.

plaso.cli.views module

View classes.

class plaso.cli.views.BaseTableView(column_names=None, title=None)

Bases: object

Table view interface.

AddRow(values)

Adds a row of values.

Parameters:values (list[object]) – values. Raises:ValueError – if the number of values is out of bounds.

Write(output_writer)

Writes the table to the output writer.

Parameters:output_writer (OutputWriter) – output writer.

class plaso.cli.views.CLITableView(column_names=None, title=None)

Bases: plaso.cli.views.BaseTableView

Command line table view.

Note that currently this table view does not support more than 2 columns.

AddRow(values)

Adds a row of values.

Parameters:values (list[object]) – values. Raises:ValueError – if the number of values is out of bounds.

Write(output_writer)

Writes the table to the output writer.

Parameters:output_writer (OutputWriter) – output writer. Raises:RuntimeError – if the title exceeds the maximum width or if the table has more than 2 columns or if the column width is out of bounds.

class plaso.cli.views.CLITabularTableView(column_names=None, column_sizes=None, title=None)

Bases: plaso.cli.views.BaseTableView

Command line tabular table view interface.

AddRow(values)

Adds a row of values.

Parameters:values (list[object]) – values. Raises:ValueError – if the number of values is out of bounds.

Write(output_writer)

Writes the table to the output writer.

Parameters:output_writer (OutputWriter) – output writer.

class plaso.cli.views.MarkdownTableView(column_names=None, title=None)

Bases: plaso.cli.views.BaseTableView

Markdown table view.

Write(output_writer)

Writes the table to the output writer.

Parameters:output_writer (OutputWriter) – output writer.

class plaso.cli.views.ViewsFactory

Bases: object

Views factory.

FORMAT_TYPE_CLI = 'cli'

FORMAT_TYPE_MARKDOWN = 'markdown'

classmethod GetTableView(format_type, column_names=None, title=None)

Retrieves a table view.

Parameters:

• format_type (str) – table view format type.
• column_names (Optional[list[str]]) – column names.
• title (Optional[str]) – title.

Returns:

table view.

Return type:

BaseTableView

Raises:

ValueError – if the format type is not supported.

Module contents

plaso.containers package

Submodules

plaso.containers.analyzer_result module

Analyzer result attribute container.

class plaso.containers.analyzer_result.AnalyzerResult

Bases: plaso.containers.interface.AttributeContainer

Attribute container to store results of analyzers.

Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could produce an attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’.

analyzer_name

str – name of the analyzer that produce the result.

attribute_name

str – name of the attribute produced.

attribute_value

str – value of the attribute produced.

CONTAINER_TYPE = 'analyzer_result'

plaso.containers.artifacts module

Artifact attribute containers.

class plaso.containers.artifacts.ArtifactAttributeContainer

Bases: plaso.containers.interface.AttributeContainer

Base class to represent an artifact attribute container.

class plaso.containers.artifacts.EnvironmentVariableArtifact(case_sensitive=True, name=None, value=None)

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Environment variable artifact attribute container.

Also see:

https://en.wikipedia.org/wiki/Environment_variable

case_sensitive

bool – True if environment variable name is case sensitive.

name

str – environment variable name e.g. ‘SystemRoot’ as in ‘%SystemRoot%’ or ‘HOME’ in ‘$HOME’.

value

str – environment variable value e.g. ‘C:Windows’ or ‘/home/user’.

CONTAINER_TYPE = 'environment_variable'

class plaso.containers.artifacts.HostnameArtifact(name=None, schema='DNS')

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Hostname artifact attribute container.

Also see:

https://en.wikipedia.org/wiki/Hostname http://cybox.mitre.org/language/version2.1/xsddocs/objects/ Hostname_Object.html

name

str – name of the host according to the naming schema.

schema

str – naming schema e.g. DNS, NIS, SMB/NetBIOS.

CONTAINER_TYPE = 'hostname'

class plaso.containers.artifacts.SystemConfigurationArtifact(code_page=None, time_zone=None)

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

System configuration artifact attribute container.

The system configuration contains the configuration data of a specific system installation e.g. Windows or Linux.

code_page

str – system code page.

hostname

HostnameArtifact – hostname.

keyboard_layout

str – keyboard layout.

operating_system

str – operating system for example “MacOS” or “Windows”.

operating_system_product

str – operating system product for example “Windows XP”.

operating_system_version

str – operating system version for example “10.9.2” or “8.1”.

time_zone

str – system time zone.

user_accounts

list[UserAccountArtifact] – user accounts.

CONTAINER_TYPE = 'system_configuration'

class plaso.containers.artifacts.UserAccountArtifact(full_name=None, group_identifier=None, identifier=None, user_directory=None, username=None)

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

User account artifact attribute container.

Also see:

http://cybox.mitre.org/language/version2.1/xsddocs/objects/ User_Account_Object.html

full_name

str – name describing the user e.g. full name.

group_identifier

str – identifier of the primary group the user is part of.

identifier

str – user identifier.

user_directory

str – path of the user (or home or profile) directory.

username

str – name uniquely identifying the user.

CONTAINER_TYPE = 'user_account'

plaso.containers.errors module

Error attribute containers.

class plaso.containers.errors.ExtractionError(message=None, parser_chain=None, path_spec=None)

Bases: plaso.containers.interface.AttributeContainer

Extraction error attribute container.

message

str – error message.

parser_chain

str – parser chain to which the error applies.

path_spec

dfvfs.PathSpec – path specification of the file entry to which the error applies.

CONTAINER_TYPE = 'extraction_error'

plaso.containers.event_sources module

Event source attribute containers.

class plaso.containers.event_sources.EventSource(path_spec=None)

Bases: plaso.containers.interface.AttributeContainer

Event source attribute container.

The event source object contains information about where a specific event originates e.g. a file, the $STANDARD_INFORMATION MFT attribute, or Application Compatibility cache.

data_type

str – attribute container type indicator.

file_entry_type

str – dfVFS file entry type.

path_spec

dfvfs.PathSpec – path specification.

CONTAINER_TYPE = 'event_source'

DATA_TYPE = None

__lt__(other)

Compares if the event source attribute container is less than the other.

Parameters:other (EventSource) – event source attribute container to compare to. Returns:True if the event source attribute container is less than the other. Return type:bool

class plaso.containers.event_sources.FileEntryEventSource(path_spec=None)

Bases: plaso.containers.event_sources.EventSource

File entry event source.

The file entry event source is an event source that represents a file within a file system.

DATA_TYPE = 'file_entry'

plaso.containers.events module

Event attribute containers.

class plaso.containers.events.EventData(data_type=None)

Bases: plaso.containers.interface.AttributeContainer

Event data attribute container.

data_type

str – event data type indicator.

offset

int – offset relative to the start of the data stream where the event data is stored.

query

str – query that was used to obtain the event data.

CONTAINER_TYPE = 'event_data'

class plaso.containers.events.EventObject

Bases: plaso.containers.interface.AttributeContainer

Event attribute container.

The framework is designed to parse files and create events from individual records, log lines or keys extracted from files. The event object provides an extensible data store for event attributes.

data_type

str – event data type indicator.

display_name

str – display friendly version of the path specification.

filename

str – name of the file related to the event.

hostname

str – name of the host related to the event.

inode

int – inode of the file related to the event.

offset

int – offset of the event data.

pathspec

dfvfs.PathSpec – path specification of the file related to the event.

tag

EventTag – event tag.

timestamp

int – timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

timestamp_desc

str – description of the meaning of the timestamp.

CONTAINER_TYPE = 'event'

DATA_TYPE = None

GetEventDataIdentifier()

Retrieves the identifier of the event data associated with the event.

The event data identifier is a storage specific value that should not be serialized.

Returns:event identifier or None when not set. Return type:AttributeContainerIdentifier

SetEventDataIdentifier(event_data_identifier)

Sets the identifier of the event data associated with the event.

The event data identifier is a storage specific value that should not be serialized.

Parameters:event_data_identifier (AttributeContainerIdentifier) – event identifier.

__lt__(other)

Compares if the event attribute container is less than the other.

Events are compared by timestamp.

Parameters:other (EventObject) – event attribute container to compare to. Returns:True if the event attribute container is less than the other. Return type:bool

class plaso.containers.events.EventTag(comment=None)

Bases: plaso.containers.interface.AttributeContainer

Event tag attribute container.

comment

str – comments.

event_entry_index

int – serialized data stream entry index of the event, this attribute is used by the ZIP and GZIP storage files to uniquely identify the event linked to the tag.

event_stream_number

int – number of the serialized event stream, this attribute is used by the ZIP and GZIP storage files to uniquely identify the event linked to the tag.

labels

list[str] – labels, such as “malware”, “application_execution”.

AddComment(comment)

Adds a comment to the event tag.

Parameters:comment (str) – comment.

AddLabel(label)

Adds a label to the event tag.

Parameters:

label (str) – label.

Raises:

• TypeError – if the label provided is not a string.
• ValueError – if a label is malformed.

AddLabels(labels)

Adds labels to the event tag.

Parameters:labels (list[str]) – labels. Raises:ValueError – if a label is malformed.

CONTAINER_TYPE = 'event_tag'

classmethod CopyTextToLabel(text, prefix='')

Copies a string to a label.

A label only supports a limited set of characters therefore unsupported characters are replaced with an underscore.

Parameters:

• text (str) – label text.
• prefix (Optional[str]) – label prefix.

Returns:

label.

Return type:

str

CopyToDict()

Copies the event tag to a dictionary.

Returns:event tag attributes. Return type:dict[str, object]

GetEventIdentifier()

Retrieves the identifier of the event associated with the event tag.

The event identifier is a storage specific value that should not be serialized.

Returns:event identifier or None when not set. Return type:AttributeContainerIdentifier

SetEventIdentifier(event_identifier)

Sets the identifier of the event associated with the event tag.

The event identifier is a storage specific value that should not be serialized.

Parameters:event_identifier (AttributeContainerIdentifier) – event identifier.

plaso.containers.interface module

The attribute container interface.

class plaso.containers.interface.AttributeContainer

Bases: object

The attribute container interface.

This is the the base class for those object that exists primarily as a container of attributes with basic accessors and mutators.

The CONTAINER_TYPE class attribute contains a string that identifies the container type e.g. the container type “event” identifiers an event object.

Attributes are public class members of an serializable type. Protected and private class members are not to be serialized.

CONTAINER_TYPE = None

CopyFromDict(attributes)

Copies the attribute container from a dictionary.

Parameters:attributes (dict[str, object]) – attribute values per name.

CopyToDict()

Copies the attribute container to a dictionary.

Returns:attribute values per name. Return type:dict[str, object]

GetAttributeNames()

Retrieves the names of all attributes.

Returns:attribute names. Return type:list[str]

GetAttributeValuesHash()

Retrieves a comparable string of the attribute values.

Returns:hash of comparable string of the attribute values. Return type:int

GetAttributeValuesString()

Retrieves a comparable string of the attribute values.

Returns:comparable string of the attribute values. Return type:str

GetAttributes()

Retrieves the attribute names and values.

Attributes that are set to None are ignored.

Yields:tuple[str, object] – attribute name and value.

GetIdentifier()

Retrieves the identifier.

The identifier is a storage specific value that should not be serialized.

Returns:an unique identifier for the container. Return type:AttributeContainerIdentifier

GetSessionIdentifier()

Retrieves the session identifier.

The session identifier is a storage specific value that should not be serialized.

Returns:session identifier. Return type:str

SetIdentifier(identifier)

Sets the identifier.

The identifier is a storage specific value that should not be serialized.

Parameters:identifier (AttributeContainerIdentifier) – identifier.

SetSessionIdentifier(session_identifier)

Sets the session identifier.

The session identifier is a storage specific value that should not be serialized.

Parameters:session_identifier (str) – session identifier.

class plaso.containers.interface.AttributeContainerIdentifier

Bases: object

The attribute container identifier.

The identifier is used to uniquely identify attribute containers. The value should be unique at runtime and in storage.

CopyToString()

Copies the identifier to a string representation.

Returns:unique identifier or None. Return type:str

plaso.containers.manager module

This file contains the attribute container manager class.

class plaso.containers.manager.AttributeContainersManager

Bases: object

Class that implements the attribute container manager.

classmethod DeregisterAttributeContainer(attribute_container_class)

Deregisters an attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters:attribute_container_class (type) – attribute container class. Raises:KeyError – if attribute container class is not set for the corresponding container type.

classmethod GetAttributeContainer(container_type)

Retrieves the attribute container for a specific container type.

Parameters:container_type (str) – container type. Returns:attribute container. Return type:AttributeContainer

classmethod RegisterAttributeContainer(attribute_container_class)

Registers a attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters:attribute_container_class (type) – attribute container class. Raises:KeyError – if attribute container class is already set for the corresponding container type.

classmethod RegisterAttributeContainers(attribute_container_classes)

Registers attribute container classes.

The attribute container classes are identified based on their lower case container type.

Parameters:attribute_container_classes (list[type]) – attribute container classes. Raises:KeyError – if attribute container class is already set for the corresponding container type.

plaso.containers.plist_event module

Plist event attribute containers.

class plaso.containers.plist_event.PlistTimeEventData

Bases: plaso.containers.events.EventData

Plist event data attribute container.

desc

str – description.

hostname

str – hostname.

key

str – name of plist key.

root

str – path from the root to this plist key.

username

str – unique username.

DATA_TYPE = 'plist:key'

plaso.containers.reports module

Report related attribute container definitions.

class plaso.containers.reports.AnalysisReport(plugin_name=None, text=None)

Bases: plaso.containers.interface.AttributeContainer

Analysis report attribute container.

filter_string

str – event filter expression.

plugin_name

str – name of the analysis plugin that generated the report.

report_array

array[str] – ???

report_dict

dict[str] – ???

text

str – report text.

time_compiled

int – timestamp of the date and time the report was compiled.

CONTAINER_TYPE = 'analysis_report'

CopyToDict()

Copies the attribute container to a dictionary.

Returns:attribute values per name. Return type:dict[str, object]

GetString()

Retrieves a string representation of the report.

Returns:string representation of the report. Return type:str

plaso.containers.sessions module

Session related attribute container definitions.

class plaso.containers.sessions.Session

Bases: plaso.containers.interface.AttributeContainer

Session attribute container.

aborted

bool – True if the session was aborted.

analysis_reports_counter

collections.Counter – number of analysis reports per analysis plugin.

artifact_filters

list[str] – Names of artifact definitions that are used for filtering file system and Windows Registry key paths.

command_line_arguments

str – command line arguments.

completion_time

int – time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

debug_mode

bool – True if debug mode was enabled.

enabled_parser_names

list[str] – parser and parser plugin names that were enabled.

event_labels_counter

collections.Counter – number of event tags per label.

filter_file

str – path to a file with find specifications.

identifier

str – unique identifier of the session.

parser_filter_expression

str – parser filter expression.

parsers_counter

collections.Counter – number of events per parser or parser plugin.

preferred_encoding

str – preferred encoding.

preferred_time_zone

str – preferred time zone.

preferred_year

int – preferred year.

product_name

str – name of the product that created the session e.g. ‘log2timeline’.

product_version

str – version of the product that created the session.

start_time

int – time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = 'session'

CopyAttributesFromSessionCompletion(session_completion)

Copies attributes from a session completion.

Parameters:session_completion (SessionCompletion) – session completion attribute container. Raises:ValueError – if the identifier fo the session completion does not match that of the session.

CopyAttributesFromSessionStart(session_start)

Copies attributes from a session start.

Parameters:session_start (SessionStart) – session start attribute container.

CreateSessionCompletion()

Creates a session completion.

Returns:session completion attribute container. Return type:SessionCompletion

CreateSessionStart()

Creates a session start.

Returns:session start attribute container. Return type:SessionStart

class plaso.containers.sessions.SessionCompletion(identifier=None)

Bases: plaso.containers.interface.AttributeContainer

Session completion attribute container.

aborted

bool – True if the session was aborted.

analysis_reports_counter

collections.Counter – number of analysis reports per analysis plugin.

event_labels_counter

collections.Counter – number of event tags per label.

identifier

str – unique identifier of the session.

parsers_counter

collections.Counter – number of events per parser or parser plugin.

timestamp

int – time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = 'session_completion'

class plaso.containers.sessions.SessionStart(identifier=None)

Bases: plaso.containers.interface.AttributeContainer

Session start attribute container.

artifact_filters

list[str] – names of artifact definitions that are used for filtering file system and Windows Registry key paths.

command_line_arguments

str – command line arguments.

debug_mode

bool – True if debug mode was enabled.

enabled_parser_names

list[str] – parser and parser plugin names that were enabled.

filter_file

str – path to a file with find specifications.

identifier

str – unique identifier of the session.

parser_filter_expression

str – parser filter expression.

preferred_encoding

str – preferred encoding.

preferred_time_zone

str – preferred time zone.

preferred_year

int – preferred year.

product_name

str – name of the product that created the session e.g. ‘log2timeline’.

product_version

str – version of the product that created the session.

timestamp

int – time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = 'session_start'

plaso.containers.shell_item_events module

Shell item event attribute container.

class plaso.containers.shell_item_events.ShellItemFileEntryEventData

Bases: plaso.containers.events.EventData

Shell item file entry event data attribute container.

name

str – name of the file entry shell item.

long_name

str – long name of the file entry shell item.

localized_name

str – localized name of the file entry shell item.

file_reference

str – NTFS file reference, in the format: “MTF entry - sequence number”.

shell_item_path

str – shell item path.

origin

str – origin of the event.

DATA_TYPE = 'windows:shell_item:file_entry'

plaso.containers.storage_media module

Storage media related attribute container definitions.

class plaso.containers.storage_media.MountPoint(mount_path=None, path_specification=None)

Bases: plaso.containers.interface.AttributeContainer

Mount point attribute container.

mount_path

str – path where the path specification is mounted, such as “/mnt/image” or “C:”.

path_spec

dfvfs.PathSpec – path specification.

CONTAINER_TYPE = 'mount_point'

plaso.containers.tasks module

Task related attribute container definitions.

class plaso.containers.tasks.Task(session_identifier=None)

Bases: plaso.containers.interface.AttributeContainer

Task attribute container.

A task describes a piece of work for a multi processing worker process e.g. to process a path specification or to analyze an event.

aborted

bool – True if the session was aborted.

completion_time

int – time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

file_entry_type

str – dfVFS type of the file entry the path specification is referencing.

has_retry

bool – True if the task was previously abandoned and a retry task was created, False otherwise.

identifier

str – unique identifier of the task.

last_processing_time

int – the last time the task was marked as being processed as number of milliseconds since January 1, 1970, 00:00:00 UTC.

merge_priority

int – priority used for the task storage file merge, where a lower value indicates a higher priority to merge.

path_spec

dfvfs.PathSpec – path specification.

session_identifier

str – the identifier of the session the task is part of.

start_time

int – time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

storage_file_size

int – size of the storage file in bytes.

CONTAINER_TYPE = 'task'

CreateRetryTask()

Creates a new task to retry a previously abandoned task.

The retry task will have a new identifier but most of the attributes will be a copy of the previously abandoned task.

Returns:a task to retry a previously abandoned task. Return type:Task

CreateTaskCompletion()

Creates a task completion.

Returns:task completion attribute container. Return type:TaskCompletion

CreateTaskStart()

Creates a task start.

Returns:task start attribute container. Return type:TaskStart

UpdateProcessingTime()

Updates the processing time to now.

__lt__(other)

Compares if the task attribute container is less than the other.

Parameters:other (Task) – task attribute container to compare to. Returns:True if the task attribute container is less than the other. Return type:bool

class plaso.containers.tasks.TaskCompletion(identifier=None, session_identifier=None)

Bases: plaso.containers.interface.AttributeContainer

Task completion attribute container.

aborted

bool – True if the session was aborted.

identifier

str – unique identifier of the task.

session_identifier

str – the identifier of the session the task is part of.

timestamp

int – time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = 'task_completion'

class plaso.containers.tasks.TaskStart(identifier=None, session_identifier=None)

Bases: plaso.containers.interface.AttributeContainer

Task start attribute container.

identifier

str – unique identifier of the task.

session_identifier

str – the identifier of the session the task is part of.

timestamp

int – time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = 'task_start'

plaso.containers.time_events module

Time-based event attribute containers.

class plaso.containers.time_events.DateTimeValuesEvent(date_time, date_time_description, data_type=None, time_zone=None)

Bases: plaso.containers.time_events.TimestampEvent

dfDateTime date time values-based event attribute container.

class plaso.containers.time_events.PythonDatetimeEvent(datetime_value, date_time_description, data_type=None, time_zone=None)

Bases: plaso.containers.time_events.DateTimeValuesEvent

Python datetime-based event attribute container.

class plaso.containers.time_events.TimestampEvent(timestamp, timestamp_description, data_type=None)

Bases: plaso.containers.events.EventObject

Plaso timestamp-based event attribute container.

data_type

str – event data type.

timestamp

int – timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

timestamp_desc

str – description of the meaning of the timestamp.

plaso.containers.windows_events module

Windows event data attribute containers.

class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(uuid, origin)

Bases: plaso.containers.events.EventData

Windows distributed link event data attribute container.

mac_address

str – MAC address stored in the UUID.

origin

str – origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.

uuid

str – UUID.

DATA_TYPE = 'windows:distributed_link_tracking:creation'

class plaso.containers.windows_events.WindowsRegistryEventData

Bases: plaso.containers.events.EventData

Windows Registry event data attribute container.

key_path

str – Windows Registry key path.

regvalue

dict[str, object] – values in the key.

source_append

str – text to append to the source_long of the event.

urls

list[str] – URLs.

DATA_TYPE = 'windows:registry:key_value'

class plaso.containers.windows_events.WindowsRegistryInstallationEventData

Bases: plaso.containers.events.EventData

Windows installation event data attribute container.

key_path

str – Windows Registry key path.

owner

str – owner.

product_name

str – product name.

service_pack

str – service pack.

version

str – version.

DATA_TYPE = 'windows:registry:installation'

class plaso.containers.windows_events.WindowsRegistryListEventData

Bases: plaso.containers.events.EventData

Windows Registry list event data attribute container.

Windows Registry list event data is used to store a MRU.

key_path

str – Windows Registry key path.

known_folder_identifier

str – known folder identifier.

list_name

str – name of the list.

list_values

str – values in the list.

value_name

str – Windows Registry value name.

DATA_TYPE = 'windows:registry:list'

class plaso.containers.windows_events.WindowsRegistryServiceEventData

Bases: plaso.containers.events.EventData

Windows Registry service event data attribute container.

key_path

str – Windows Registry key path.

offset

int – data offset of the Windows Registry key or value.

regvalue

dict[str, str] – values of a key.

urls

Optional[list[str]] – URLs.

DATA_TYPE = 'windows:registry:service'

class plaso.containers.windows_events.WindowsVolumeEventData

Bases: plaso.containers.events.EventData

Windows volume event data attribute container.

device_path

str – volume device path.

origin

str – origin of the event (event source), for example the corresponding Prefetch file name.

serial_number

str – volume serial number.

DATA_TYPE = 'windows:volume:creation'

Module contents

This file imports Python modules that register attribute container types.

plaso.engine package

Submodules

plaso.engine.artifact_filters module

Helper to create filters based on forensic artifact definitions.

class plaso.engine.artifact_filters.ArtifactDefinitionsFilterHelper(artifacts_registry, artifact_filters, knowledge_base)

Bases: object

Helper to create filters based on artifact definitions.

Builds extraction filters from forensic artifact definitions.

For more information about Forensic Artifacts see: https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc

BuildFindSpecs(environment_variables=None)

Builds find specifications from artifact definitions.

The resulting find specifications are set in the knowledge base.

Parameters:environment_variables (Optional[list[EnvironmentVariableArtifact]]) – environment variables.

BuildFindSpecsFromFileArtifact(source_path, path_separator, environment_variables, user_accounts)

Builds find specifications from a file source type.

Parameters:

• source_path (str) – file system path defined by the source.
• path_separator (str) – file system path segment separator.
• environment_variables (list[str]) – environment variable attributes used to dynamically populate environment variables in key.
• user_accounts (list[str]) – identified user accounts stored in the knowledge base.

Returns:

find specifications for the file source type.

Return type:

list[dfvfs.FindSpec]

BuildFindSpecsFromRegistryArtifact(source_key_path)

Build find specifications from a Windows Registry source type.

Parameters:source_key_path (str) – Windows Registry key path defined by the source. Returns:

find specifications for the Windows Registry

source type.

Return type:list[dfwinreg.FindSpec]

static CheckKeyCompatibility()

Checks if a Windows Registry key path is supported by dfWinReg.

Parameters:key_path (str) – path of the Windows Registry key. Returns:True if key is compatible or False if not. Return type:bool

KNOWLEDGE_BASE_VALUE = 'ARTIFACT_FILTERS'

plaso.engine.configurations module

Processing configuration classes.

class plaso.engine.configurations.CredentialConfiguration(credential_data=None, credential_type=None, path_spec=None)

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for a credential.

credential_data

bytes – credential data.

credential_type

str – credential type.

path_spec

dfvfs.PathSpec – path specification.

CONTAINER_TYPE = 'credential_configuration'

class plaso.engine.configurations.EventExtractionConfiguration

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for event extraction.

These settings are primarily used by the parser mediator.

filter_object

objectfilter.Filter – filter that specifies which events to include.

text_prepend

str – text to prepend to every event.

CONTAINER_TYPE = 'event_extraction_configuration'

class plaso.engine.configurations.ExtractionConfiguration

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for extraction.

These settings are primarily used by the extraction worker.

hasher_file_size_limit

int – maximum file size that hashers should process, where 0 or None represents unlimited.

hasher_names_string

str – comma separated string of names of hashers to use during processing.

process_archives

bool – True if archive files should be scanned for file entries.

process_compressed_streams

bool – True if file content in compressed streams should be processed.

yara_rules_string

str – Yara rule definitions.

CONTAINER_TYPE = 'extraction_configuration'

class plaso.engine.configurations.InputSourceConfiguration

Bases: plaso.containers.interface.AttributeContainer

Configuration settings of an input source.

mount_path

str – path of a “mounted” directory input source.

CONTAINER_TYPE = 'input_source'

class plaso.engine.configurations.ProcessingConfiguration

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for processing.

artifact_filters

Optional list[str] – names of artifact definitions that are used for filtering file system and Windows Registry key paths.

credentials

list[CredentialConfiguration] – credential configurations.

data_location

str – path to the data files.

debug_output

bool – True if debug output should be enabled.

event_extraction

EventExtractionConfiguration – event extraction configuration.

extraction

ExtractionConfiguration – extraction configuration.

filter_file

str – path to a file with find specifications.

input_source

InputSourceConfiguration – input source configuration.

log_filename

str – name of the log file.

parser_filter_expression

str – parser filter expression, where None represents all parsers and plugins.

preferred_year

int – preferred initial year value for year-less date and time values.

profiling

ProfilingConfiguration – profiling configuration.

temporary_directory

str – path of the directory for temporary files.

CONTAINER_TYPE = 'processing_configuration'

class plaso.engine.configurations.ProfilingConfiguration

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for profiling.

directory

str – path to the directory where the profiling sample files should be stored.

profilers

set(str) – names of the profilers to enable. Supported profilers are:

• ‘guppy’, which profiles memory usage using guppy;
• ‘memory’, which profiles memory usage;
• ‘parsers’, which profiles CPU time consumed by individual parsers;
• ‘processing’, which profiles CPU time consumed by different parts of processing;
• ‘serializers’, which profiles CPU time consumed by individual serializers.
• ‘storage’, which profiles storage reads and writes.

sample_rate

int – the profiling sample rate. Contains the number of event sources processed.

CONTAINER_TYPE = 'profiling_configuration'

HaveProfileMemory()

Determines if memory profiling is configured.

Returns:True if memory profiling is configured. Return type:bool

HaveProfileMemoryGuppy()

Determines if memory profiling with guppy is configured.

Returns:True if memory profiling with guppy is configured. Return type:bool

HaveProfileParsers()

Determines if parsers profiling is configured.

Returns:True if parsers profiling is configured. Return type:bool

HaveProfileProcessing()

Determines if processing profiling is configured.

Returns:True if processing profiling is configured. Return type:bool

HaveProfileSerializers()

Determines if serializers profiling is configured.

Returns:True if serializers profiling is configured. Return type:bool

HaveProfileStorage()

Determines if storage profiling is configured.

Returns:True if storage profiling is configured. Return type:bool

HaveProfileTaskQueue()

Determines if task queue profiling is configured.

Returns:True if task queue profiling is configured. Return type:bool

HaveProfileTasks()

Determines if tasks profiling is configured.

Returns:True if task queue profiling is configured. Return type:bool

plaso.engine.engine module

The processing engine.

class plaso.engine.engine.BaseEngine

Bases: object

Processing engine interface.

knowledge_base

KnowledgeBase – knowledge base.

classmethod BuildArtifactsRegistry(artifact_definitions_path, custom_artifacts_path)

Build Find Specs from artifacts or filter file if available.

Parameters:

• artifact_definitions_path (str) – path to artifact definitions file.
• custom_artifacts_path (str) – path to custom artifact definitions file.

Returns:

artifact definitions registry.

Return type:

artifacts.ArtifactDefinitionsRegistry

Raises:

RuntimeError – if no valid FindSpecs are built.

classmethod BuildFilterFindSpecs(artifact_definitions_path, custom_artifacts_path, knowledge_base_object, artifact_filter_names=None, filter_file_path=None)

Builds find specifications from artifacts or filter file if available.

Parameters:

• artifact_definitions_path (str) – path to artifact definitions file.
• custom_artifacts_path (str) – path to custom artifact definitions file.
• knowledge_base_object (KnowledgeBase) – knowledge base.
• artifact_filter_names (Optional[list[str]]) – names of artifact definitions that are used for filtering file system and Windows Registry key paths.
• filter_file_path (Optional[str]) – Path of filter file.

Returns:

find specifications for the file source type.

Return type:

list[dfvfs.FindSpec]

Raises:

RuntimeError – if no valid FindSpecs are built.

classmethod CreateSession(artifact_filter_names=None, command_line_arguments=None, debug_mode=False, filter_file_path=None, preferred_encoding='utf-8', preferred_time_zone=None, preferred_year=None)

Creates a session attribute container.

Parameters:

• artifact_filter_names (Optional[list[str]]) – names of artifact definitions that are used for filtering file system and Windows Registry key paths.
• command_line_arguments (Optional[str]) – the command line arguments.
• debug_mode (bool) – True if debug mode was enabled.
• filter_file_path (Optional[str]) – path to a file with find specifications.
• preferred_encoding (Optional[str]) – preferred encoding.
• preferred_time_zone (Optional[str]) – preferred time zone.
• preferred_year (Optional[int]) – preferred year.

Returns:

session attribute container.

Return type:

Session

GetSourceFileSystem(source_path_spec, resolver_context=None)

Retrieves the file system of the source.

Parameters:

• source_path_spec (dfvfs.PathSpec) – path specifications of the sources to process.
• resolver_context (dfvfs.Context) – resolver context.

Returns:

containing:

dfvfs.FileSystem: file system path.PathSpec: mount point path specification. The mount point path

specification refers to either a directory or a volume on a storage media device or image. It is needed by the dfVFS file system searcher (FileSystemSearcher) to indicate the base location of the file system.

Return type:

tuple

Raises:

RuntimeError – if source file system path specification is not set.

PreprocessSources(artifacts_registry_object, source_path_specs, resolver_context=None)

Preprocesses the sources.

Parameters:

• artifacts_registry_object (artifacts.ArtifactDefinitionsRegistry) – artifact definitions registry.
• source_path_specs (list[dfvfs.PathSpec]) – path specifications of the sources to process.
• resolver_context (Optional[dfvfs.Context]) – resolver context.

classmethod SupportsGuppyMemoryProfiling()

Determines if memory profiling with guppy is supported.

Returns:True if memory profiling with guppy is supported. Return type:bool

plaso.engine.extractors module

The extractor class definitions.

An extractor is a class used to extract information from “raw” data.

class plaso.engine.extractors.EventExtractor(parser_filter_expression=None)

Bases: object

Event extractor.

An event extractor extracts events from event sources.

ParseDataStream(parser_mediator, file_entry, data_stream_name)

Parses a data stream of a file entry with the enabled parsers.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• file_entry (dfvfs.FileEntry) – file entry.
• data_stream_name (str) – data stream name.

Raises:

RuntimeError – if the file-like object or the parser object is missing.

ParseFileEntryMetadata(parser_mediator, file_entry)

Parses the file entry metadata e.g. file system data.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• file_entry (dfvfs.FileEntry) – file entry.

ParseMetadataFile(parser_mediator, file_entry, data_stream_name)

Parses a metadata file.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• file_entry (dfvfs.FileEntry) – file entry.
• data_stream_name (str) – data stream name.

class plaso.engine.extractors.PathSpecExtractor(duplicate_file_check=False)

Bases: object

Path specification extractor.

A path specification extractor extracts path specification from a source directory, file or storage media device or image.

ExtractPathSpecs(path_specs, find_specs=None, recurse_file_system=True, resolver_context=None)

Extracts path specification from a specific source.

Parameters:

• path_specs (Optional[list[dfvfs.PathSpec]]) – path specifications.
• find_specs (Optional[list[dfvfs.FindSpec]]) – find specifications.
• recurse_file_system (Optional[bool]) – True if extraction should recurse into a file system.
• resolver_context (Optional[dfvfs.Context]) – resolver context.

Yields:

dfvfs.PathSpec – path specification of a file entry found in the source.

plaso.engine.filter_file module

Filter file.

class plaso.engine.filter_file.FilterFile(path)

Bases: object

Filter file.

A filter file contains one or more path filters.

A path filter may contain path expansion attributes. Such an attribute is defined as anything within a curly bracket, for example “System{my_attribute}PathKeyname”. If the attribute “my_attribute” is defined its runtime value will be replaced with placeholder in the path filter such as “SystemMyValuePathKeyname”.

If the path filter needs to have curly brackets in the path then these need to be escaped with another curly bracket, for example “System{my_attribute}{{123-AF25-E523}}KeyName”, where “{{123-AF25-E523}}” will be replaced with “{123-AF25-E523}” at runtime.

BuildFindSpecs(environment_variables=None)

Build find specification from a filter file.

Parameters:environment_variables (Optional[list[EnvironmentVariableArtifact]]) – environment variables. Returns:find specification. Return type:list[dfvfs.FindSpec]

plaso.engine.knowledge_base module

The artifact knowledge base object.

The knowledge base is filled by user provided input and the pre-processing phase. It is intended to provide successive phases, like the parsing and analysis phases, with essential information like e.g. the timezone and codepage of the source data.

class plaso.engine.knowledge_base.KnowledgeBase

Bases: object

Class that implements the artifact knowledge base.

AddEnvironmentVariable(environment_variable)

Adds an environment variable.

Parameters:environment_variable (EnvironmentVariableArtifact) – environment variable artifact. Raises:KeyError – if the environment variable already exists.

AddUserAccount(user_account, session_identifier=0)

Adds an user account.

Parameters:

• user_account (UserAccountArtifact) – user account artifact.
• session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.

Raises:

KeyError – if the user account already exists.

CURRENT_SESSION = 0

GetEnvironmentVariable(name)

Retrieves an environment variable.

Parameters:name (str) – name of the environment variable. Returns:

environment variable artifact or None

if there was no value set for the given name.

Return type:EnvironmentVariableArtifact

GetEnvironmentVariables()

Retrieves the environment variables.

Returns:environment variable artifacts. Return type:list[EnvironmentVariableArtifact]

GetHostname(session_identifier=0)

Retrieves the hostname related to the event.

If the hostname is not stored in the event it is determined based on the preprocessing information that is stored inside the storage file.

Parameters:session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session. Returns:hostname. Return type:str

GetStoredHostname()

Retrieves the stored hostname.

The hostname is determined based on the preprocessing information that is stored inside the storage file.

Returns:hostname. Return type:str

GetSystemConfigurationArtifact(session_identifier=0)

Retrieves the knowledge base as a system configuration artifact.

Parameters:session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session. Returns:system configuration artifact. Return type:SystemConfigurationArtifact

GetUsernameByIdentifier(user_identifier, session_identifier=0)

Retrieves the username based on an user identifier.

Parameters:

• user_identifier (str) – user identifier, either a UID or SID.
• session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.

Returns:

username.

Return type:

str

GetUsernameForPath(path)

Retrieves a username for a specific path.

This is determining if a specific path is within a user’s directory and returning the username of the user if so.

Parameters:path (str) – path. Returns:

username or None if the path does not appear to be within a user’s

directory.

Return type:str

GetValue(identifier, default_value=None)

Retrieves a value by identifier.

Parameters:

• identifier (str) – case insensitive unique identifier for the value.
• default_value (object) – default value.

Returns:

value or default value if not available.

Return type:

object

Raises:

TypeError – if the identifier is not a string type.

HasUserAccounts()

Determines if the knowledge base contains user accounts.

Returns:True if the knowledge base contains user accounts. Return type:bool

ReadSystemConfigurationArtifact(system_configuration, session_identifier=0)

Reads the knowledge base values from a system configuration artifact.

Note that this overwrites existing values in the knowledge base.

Parameters:

• system_configuration (SystemConfigurationArtifact) – system configuration artifact.
• session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.

SetCodepage(codepage)

Sets the codepage.

Parameters:codepage (str) – codepage. Raises:ValueError – if the codepage is not supported.

SetEnvironmentVariable(environment_variable)

Sets an environment variable.

Parameters:environment_variable (EnvironmentVariableArtifact) – environment variable artifact.

SetHostname(hostname, session_identifier=0)

Sets a hostname.

Parameters:

• hostname (HostnameArtifact) – hostname artifact.
• session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.

SetTimeZone(time_zone)

Sets the time zone.

Parameters:time_zone (str) – time zone. Raises:ValueError – if the timezone is not supported.

SetValue(identifier, value)

Sets a value by identifier.

Parameters:

• identifier (str) – case insensitive unique identifier for the value.
• value (object) – value.

Raises:

TypeError – if the identifier is not a string type.

codepage

str – codepage of the current session.

hostname

str – hostname of the current session.

timezone

datetime.tzinfo – timezone of the current session.

user_accounts

list[UserAccountArtifact] – user accounts of the current session.

year

int – year of the current session.

plaso.engine.logger module

The engine sub module logger.

plaso.engine.path_helper module

The path helper.

class plaso.engine.path_helper.PathHelper

Bases: object

Class that implements the path helper.

classmethod AppendPathEntries(path, path_separator, count, skip_first)

Appends wildcard entries to end of path.

Will append wildcard * to given path building a list of strings for “count” iterations, skipping the first directory if skip_first is true.

Parameters:

• path (str) – Path to append wildcards to.
• path_separator (str) – path segment separator.
• count (int) – Number of entries to be appended.
• skip_first (bool) – Whether or not to skip first entry to append.

Returns:

Paths that were expanded from the path with wildcards.

Return type:

list[str]

classmethod ExpandRecursiveGlobs(path, path_separator)

Expands recursive like globs present in an artifact path.

If a path ends in ‘**’, with up to two optional digits such as ‘10’, the ‘’ will recursively match all files and zero or more directories from the specified path. The optional digits indicate the recursion depth. By default recursion depth is 10 directories.

If the glob is followed by the specified path segment separator, only directories and subdirectories will be matched.

Parameters:

• path (str) – path to be expanded.
• path_separator (str) – path segment separator.

Returns:

String path expanded for each glob.

Return type:

list[str]

classmethod ExpandUsersHomeDirectoryPath(path, user_accounts)

Expands a path to contain all users home or profile directories.

Expands the GRR artifacts path variable “%%users.homedir%%”.

Parameters:

• path (str) – Windows path with environment variables.
• user_accounts (list[UserAccountArtifact]) – user accounts.

Returns:

paths returned for user accounts without a drive letter.

Return type:

list[str]

classmethod ExpandWindowsPath(path, environment_variables)

Expands a Windows path containing environment variables.

Parameters:

• path (str) – Windows path with environment variables.
• environment_variables (list[EnvironmentVariableArtifact]) – environment variables.

Returns:

expanded Windows path.

Return type:

str

classmethod GetDisplayNameForPathSpec(path_spec, mount_path=None, text_prepend=None)

Retrieves the display name of a path specification.

Parameters:

• path_spec (dfvfs.PathSpec) – path specification.
• mount_path (Optional[str]) – path where the file system that is used by the path specification is mounted, such as “/mnt/image”. The mount path will be stripped from the absolute path defined by the path specification.
• text_prepend (Optional[str]) – text to prepend.

Returns:

human readable version of the path specification or None.

Return type:

str

classmethod GetRelativePathForPathSpec(path_spec, mount_path=None)

Retrieves the relative path of a path specification.

If a mount path is defined the path will be relative to the mount point, otherwise the path is relative to the root of the file system that is used by the path specification.

Parameters:

• path_spec (dfvfs.PathSpec) – path specification.
• mount_path (Optional[str]) – path where the file system that is used by the path specification is mounted, such as “/mnt/image”. The mount path will be stripped from the absolute path defined by the path specification.

Returns:

relative path or None.

Return type:

str

plaso.engine.plaso_queue module

Queue management implementation for Plaso.

This file contains an implementation of a queue used by plaso for queue management.

The queue has been abstracted in order to provide support for different implementations of the queueing mechanism, to support multi processing and scalability.

class plaso.engine.plaso_queue.Queue

Bases: object

Class that implements the queue interface.

Close(abort=False)

Closes the queue.

Parameters:abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost.

IsEmpty()

Determines if the queue is empty.

Open()

Opens the queue, ready to enqueue or dequeue items.

PopItem()

Pops an item off the queue.

Raises:QueueEmpty – when the queue is empty.

PushItem(item, block=True)

Pushes an item onto the queue.

Parameters:

• item (object) – item to add.
• block (bool) – whether to block if the queue is full.

Raises:

QueueFull – if the queue is full, and the item could not be added.

class plaso.engine.plaso_queue.QueueAbort

Bases: object

Class that implements a queue abort.

plaso.engine.process_info module

Information about running process.

class plaso.engine.process_info.ProcessInfo(pid)

Bases: object

Provides information about a running process.

GetUsedMemory()

Retrieves the amount of memory used by the process.

Returns:

amount of memory in bytes used by the process or None

if not available.

Return type:int

plaso.engine.processing_status module

Processing status classes.

class plaso.engine.processing_status.ProcessStatus

Bases: object

The status of an individual process.

display_name

str – human readable of the file entry currently being processed by the process.

identifier

str – process identifier.

last_running_time

int – timestamp of the last update when the process had a running process status.

number_of_consumed_errors

int – total number of errors consumed by the process.

number_of_consumed_errors_delta

int – number of errors consumed by the process since the last status update.

number_of_consumed_event_tags

int – total number of event tags consumed by the process.

number_of_consumed_event_tags_delta

int – number of event tags consumed by the process since the last status update.

number_of_consumed_events

int – total number of events consumed by the process.

number_of_consumed_events_delta

int – number of events consumed by the process since the last status update.

number_of_consumed_reports

int – total number of event reports consumed by the process.

number_of_consumed_reports_delta

int – number of event reports consumed by the process since the last status update.

number_of_consumed_sources

int – total number of event sources consumed by the process.

number_of_consumed_sources_delta

int – number of event sources consumed by the process since the last status update.

number_of_produced_errors

int – total number of errors produced by the process.

number_of_produced_errors_delta

int – number of errors produced by the process since the last status update.

number_of_produced_event_tags

int – total number of event tags produced by the process.

number_of_produced_event_tags_delta

int – number of event tags produced by the process since the last status update.

number_of_produced_events

int – total number of events produced by the process.

number_of_produced_events_delta

int – number of events produced by the process since the last status update.

number_of_produced_reports

int – total number of event reports produced by the process.

number_of_produced_reports_delta

int – number of event reports produced by the process since the last status update.

number_of_produced_sources

int – total number of event sources produced by the process.

number_of_produced_sources_delta

int – number of event sources produced by the process since the last status update.

pid

int – process identifier (PID).

status

str – human readable status indication e.g. ‘Hashing’, ‘Idle’.

used_memory

int – size of used memory in bytes.

UpdateNumberOfErrors(number_of_consumed_errors, number_of_produced_errors)

Updates the number of errors.

Parameters:

• number_of_consumed_errors (int) – total number of errors consumed by the process.
• number_of_produced_errors (int) – total number of errors produced by the process.

Returns:

True if either number of errors has increased.

Return type:

bool

Raises:

ValueError – if the consumed or produced number of errors is smaller than the value of the previous update.

UpdateNumberOfEventReports(number_of_consumed_reports, number_of_produced_reports)

Updates the number of event reports.

Parameters:

• number_of_consumed_reports (int) – total number of event reports consumed by the process.
• number_of_produced_reports (int) – total number of event reports produced by the process.

Returns:

True if either number of event reports has increased.

Return type:

bool

Raises:

ValueError – if the consumed or produced number of event reports is smaller than the value of the previous update.

UpdateNumberOfEventSources(number_of_consumed_sources, number_of_produced_sources)

Updates the number of event sources.

Parameters:

• number_of_consumed_sources (int) – total number of event sources consumed by the process.
• number_of_produced_sources (int) – total number of event sources produced by the process.

Returns:

True if either number of event sources has increased.

Return type:

bool

Raises:

ValueError – if the consumed or produced number of event sources is smaller than the value of the previous update.

UpdateNumberOfEventTags(number_of_consumed_event_tags, number_of_produced_event_tags)

Updates the number of event tags.

Parameters:

• number_of_consumed_event_tags (int) – total number of event tags consumed by the process.
• number_of_produced_event_tags (int) – total number of event tags produced by the process.

Returns:

True if either number of event tags has increased.

Return type:

bool

Raises:

ValueError – if the consumed or produced number of event tags is smaller than the value of the previous update.

UpdateNumberOfEvents(number_of_consumed_events, number_of_produced_events)

Updates the number of events.

Parameters:

• number_of_consumed_events (int) – total number of events consumed by the process.
• number_of_produced_events (int) – total number of events produced by the process.

Returns:

True if either number of events has increased.

Return type:

bool

Raises:

ValueError – if the consumed or produced number of events is smaller than the value of the previous update.

class plaso.engine.processing_status.ProcessingStatus

Bases: object

The status of the overall extraction process (processing).

aborted

bool – True if processing was aborted.

error_path_specs

list[dfvfs.PathSpec] – path specifications that caused critical errors during processing.

foreman_status

ProcessingStatus – foreman processing status.

start_time

float – time that the processing was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

tasks_status

TasksStatus – status information about tasks.

UpdateForemanStatus(identifier, status, pid, used_memory, display_name, number_of_consumed_sources, number_of_produced_sources, number_of_consumed_events, number_of_produced_events, number_of_consumed_event_tags, number_of_produced_event_tags, number_of_consumed_errors, number_of_produced_errors, number_of_consumed_reports, number_of_produced_reports)

Updates the status of the foreman.

Parameters:

• identifier (str) – foreman identifier.
• status (str) – human readable status of the foreman e.g. ‘Idle’.
• pid (int) – process identifier (PID).
• used_memory (int) – size of used memory in bytes.
• display_name (str) – human readable of the file entry currently being processed by the foreman.
• number_of_consumed_sources (int) – total number of event sources consumed by the foreman.
• number_of_produced_sources (int) – total number of event sources produced by the foreman.
• number_of_consumed_events (int) – total number of events consumed by the foreman.
• number_of_produced_events (int) – total number of events produced by the foreman.
• number_of_consumed_event_tags (int) – total number of event tags consumed by the foreman.
• number_of_produced_event_tags (int) – total number of event tags produced by the foreman.
• number_of_consumed_errors (int) – total number of errors consumed by the foreman.
• number_of_produced_errors (int) – total number of errors produced by the foreman.
• number_of_consumed_reports (int) – total number of event reports consumed by the process.
• number_of_produced_reports (int) – total number of event reports produced by the process.

UpdateTasksStatus(tasks_status)

Updates the tasks status.

Parameters:tasks_status (TasksStatus) – status information about tasks.

UpdateWorkerStatus(identifier, status, pid, used_memory, display_name, number_of_consumed_sources, number_of_produced_sources, number_of_consumed_events, number_of_produced_events, number_of_consumed_event_tags, number_of_produced_event_tags, number_of_consumed_errors, number_of_produced_errors, number_of_consumed_reports, number_of_produced_reports)

Updates the status of a worker.

Parameters:

• identifier (str) – worker identifier.
• status (str) – human readable status of the worker e.g. ‘Idle’.
• pid (int) – process identifier (PID).
• used_memory (int) – size of used memory in bytes.
• display_name (str) – human readable of the file entry currently being processed by the worker.
• number_of_consumed_sources (int) – total number of event sources consumed by the worker.
• number_of_produced_sources (int) – total number of event sources produced by the worker.
• number_of_consumed_events (int) – total number of events consumed by the worker.
• number_of_produced_events (int) – total number of events produced by the worker.
• number_of_consumed_event_tags (int) – total number of event tags consumed by the worker.
• number_of_produced_event_tags (int) – total number of event tags produced by the worker.
• number_of_consumed_errors (int) – total number of errors consumed by the worker.
• number_of_produced_errors (int) – total number of errors produced by the worker.
• number_of_consumed_reports (int) – total number of event reports consumed by the process.
• number_of_produced_reports (int) – total number of event reports produced by the process.

workers_status

The worker status objects sorted by identifier.

class plaso.engine.processing_status.TasksStatus

Bases: object

The status of the tasks.

number_of_abandoned_tasks

int – number of abandoned tasks.

number_of_queued_tasks

int – number of active tasks.

number_of_tasks_pending_merge

int – number of tasks pending merge.

number_of_tasks_processing

int – number of tasks processing.

total_number_of_tasks

int – total number of tasks.

plaso.engine.profilers module

The profiler classes.

class plaso.engine.profilers.CPUTimeMeasurement

Bases: object

The CPU time measurement.

start_sample_time

float – start sample time or None if not set.

total_cpu_time

float – total CPU time or None if not set.

SampleStart()

Starts measuring the CPU time.

SampleStop()

Stops measuring the CPU time.

class plaso.engine.profilers.CPUTimeProfiler(identifier, configuration)

Bases: plaso.engine.profilers.SampleFileProfiler

The CPU time profiler.

StartTiming(profile_name)

Starts timing CPU time.

Parameters:profile_name (str) – name of the profile to sample.

StopTiming(profile_name)

Stops timing CPU time.

Parameters:profile_name (str) – name of the profile to sample.

class plaso.engine.profilers.GuppyMemoryProfiler(identifier, configuration)

Bases: object

The guppy-based memory profiler.

classmethod IsSupported()

Determines if the profiler is supported.

Returns:True if the profiler is supported. Return type:bool

Sample()

Takes a sample for profiling.

Start()

Starts the profiler.

Stop()

Stops the profiler.

class plaso.engine.profilers.MemoryProfiler(identifier, configuration)

Bases: plaso.engine.profilers.SampleFileProfiler

The memory profiler.

Sample(profile_name, used_memory)

Takes a sample for profiling.

Parameters:

• profile_name (str) – name of the profile to sample.
• used_memory (int) – amount of used memory in bytes.

class plaso.engine.profilers.ProcessingProfiler(identifier, configuration)

Bases: plaso.engine.profilers.CPUTimeProfiler

The processing profiler.

class plaso.engine.profilers.SampleFileProfiler(identifier, configuration)

Bases: object

Shared functionality for sample file-based profilers.

classmethod IsSupported()

Determines if the profiler is supported.

Returns:True if the profiler is supported. Return type:bool

Start()

Starts the profiler.

Stop()

Stops the profiler.

class plaso.engine.profilers.SerializersProfiler(identifier, configuration)

Bases: plaso.engine.profilers.CPUTimeProfiler

The serializers profiler.

class plaso.engine.profilers.StorageProfiler(identifier, configuration)

Bases: plaso.engine.profilers.SampleFileProfiler

The storage profiler.

Sample(operation, description, data_size, compressed_data_size)

Takes a sample of data read or written for profiling.

Parameters:

• operation (str) – operation, either ‘read’ or ‘write’.
• description (str) – description of the data read.
• data_size (int) – size of the data read in bytes.
• compressed_data_size (int) – size of the compressed data read in bytes.

class plaso.engine.profilers.TaskQueueProfiler(identifier, configuration)

Bases: plaso.engine.profilers.SampleFileProfiler

The task queue profiler.

Sample(tasks_status)

Takes a sample of the status of queued tasks for profiling.

Parameters:tasks_status (TasksStatus) – status information about tasks.

class plaso.engine.profilers.TasksProfiler(identifier, configuration)

Bases: plaso.engine.profilers.SampleFileProfiler

The tasks profiler.

Sample(task, status)

Takes a sample of the status of a task for profiling.

Parameters:

• task (Task) – a task.
• status (str) – status.

plaso.engine.single_process module

The single process processing engine.

class plaso.engine.single_process.SingleProcessEngine

Bases: plaso.engine.engine.BaseEngine

Class that defines the single process engine.

ProcessSources(source_path_specs, storage_writer, resolver_context, processing_configuration, filter_find_specs=None, status_update_callback=None)

Processes the sources.

Parameters:

• source_path_specs (list[dfvfs.PathSpec]) – path specifications of the sources to process.
• storage_writer (StorageWriter) – storage writer for a session storage.
• resolver_context (dfvfs.Context) – resolver context.
• processing_configuration (ProcessingConfiguration) – processing configuration.
• filter_find_specs (Optional[list[dfvfs.FindSpec]]) – find specifications used in path specification extraction.
• status_update_callback (Optional[function]) – callback function for status updates.

Returns:

processing status.

Return type:

ProcessingStatus

plaso.engine.tagging_file module

Tagging file.

class plaso.engine.tagging_file.TaggingFile(path)

Bases: object

Tagging file.

A tagging file contains one or more event tagging rules.

GetEventTaggingRules()

Retrieves the event tagging rules from the tagging file.

Returns:

efilter abstract syntax tree (AST), containing the

tagging rules.

Return type:efilter.ast.Expression

plaso.engine.worker module

The event extraction worker.

class plaso.engine.worker.EventExtractionWorker(parser_filter_expression=None)

Bases: object

Event extraction worker.

The event extraction worker determines which parsers are suitable for parsing a particular file entry or data stream. The parsers extract relevant data from file system and or file content data. All extracted data is passed to the parser mediator for further processing.

last_activity_timestamp

int – timestamp received that indicates the last time activity was observed.

processing_status

str – human readable status indication such as: ‘Extracting’, ‘Hashing’.

GetAnalyzerNames()

Gets the names of the active analyzers.

Returns:names of active analyzers. Return type:list[str]

ProcessPathSpec(mediator, path_spec)

Processes a path specification.

Parameters:

• mediator (ParserMediator) – mediates the interactions between parsers and other components, such as storage and abort signals.
• path_spec (dfvfs.PathSpec) – path specification.

SetExtractionConfiguration(configuration)

Sets the extraction configuration settings.

Parameters:configuration (ExtractionConfiguration) – extraction configuration.

SetProcessingProfiler(processing_profiler)

Sets the parsers profiler.

Parameters:processing_profiler (ProcessingProfiler) – processing profile.

SignalAbort()

Signals the extraction worker to abort.

plaso.engine.zeromq_queue module

ZeroMQ implementations of the Plaso queue interface.

class plaso.engine.zeromq_queue.ZeroMQBufferedQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for buffered Plaso queues.

Buffered queues use a regular Python queue to store items that are pushed or popped from the queue without blocking on underlying ZeroMQ operations.

This class should not be instantiated directly, a subclass should be instantiated instead.

Close(abort=False)

Closes the queue.

Parameters:

abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost.

Raises:

• QueueAlreadyClosed – if the queue is not started, or has already been closed.
• RuntimeError – if closed or terminate event is missing.

Empty()

Removes all items from the internal buffer.

class plaso.engine.zeromq_queue.ZeroMQBufferedReplyBindQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue

A Plaso queue backed by a ZeroMQ REP socket that binds to a port.

This queue may only be used to pop items, not to push.

SOCKET_CONNECTION_TYPE = 1

class plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQBufferedQueue

Parent class for buffered Plaso queues backed by ZeroMQ REP sockets.

This class should not be instantiated directly, a subclass should be instantiated instead.

Instances of this class or subclasses may only be used to push items, not to pop.

PopItem()

Pops an item of the queue.

Provided for compatibility with the API, but doesn’t actually work.

Raises:WrongQueueType – As Pop is not supported by this queue.

PushItem(item, block=True)

Push an item on to the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Parameters:

• item (object) – item to push on the queue.
• block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises:

• QueueAlreadyClosed – if the queue is closed.
• QueueFull – if the internal buffer was full and it was not possible to push the item to the buffer within the timeout.
• RuntimeError – if closed event is missing.

class plaso.engine.zeromq_queue.ZeroMQPullConnectQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQPullQueue

A Plaso queue backed by a ZeroMQ PULL socket that connects to a port.

This queue may only be used to pop items, not to push.

SOCKET_CONNECTION_TYPE = 2

class plaso.engine.zeromq_queue.ZeroMQPullQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for Plaso queues backed by ZeroMQ PULL sockets.

This class should not be instantiated directly, a subclass should be instantiated instead.

Instances of this class or subclasses may only be used to pop items, not to push.

PopItem()

Pops an item off the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Returns:

item from the queue.

Return type:

object

Raises:

• KeyboardInterrupt – if the process is sent a KeyboardInterrupt while popping an item.
• QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout.
• RuntimeError – if closed or terminate event is missing.
• zmq.error.ZMQError – if a ZeroMQ error occurs.

PushItem(item, block=True)

Pushes an item on to the queue.

Provided for compatibility with the API, but doesn’t actually work.

Parameters:

• item (object) – item to push on the queue.
• block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises:

WrongQueueType – As Push is not supported this queue.

class plaso.engine.zeromq_queue.ZeroMQPushBindQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQPushQueue

A Plaso queue backed by a ZeroMQ PUSH socket that binds to a port.

This queue may only be used to push items, not to pop.

SOCKET_CONNECTION_TYPE = 1

class plaso.engine.zeromq_queue.ZeroMQPushQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for Plaso queues backed by ZeroMQ PUSH sockets.

This class should not be instantiated directly, a subclass should be instantiated instead.

Instances of this class or subclasses may only be used to push items, not to pop.

PopItem()

Pops an item of the queue.

Provided for compatibility with the API, but doesn’t actually work.

Raises:WrongQueueType – As Pull is not supported this queue.

PushItem(item, block=True)

Push an item on to the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Parameters:

• item (object) – item to push on the queue.
• block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises:

• KeyboardInterrupt – if the process is sent a KeyboardInterrupt while pushing an item.
• QueueFull – if it was not possible to push the item to the queue within the timeout.
• RuntimeError – if terminate event is missing.
• zmq.error.ZMQError – if a ZeroMQ specific error occurs.

class plaso.engine.zeromq_queue.ZeroMQQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.plaso_queue.Queue

Interface for a ZeroMQ backed queue.

name

str – name to identify the queue.

port

int – TCP port that the queue is connected or bound to. If the queue is not yet bound or connected to a port, this value will be None.

timeout_seconds

int – number of seconds that calls to PopItem and PushItem may block for, before returning queue.QueueEmpty.

Close(abort=False)

Closes the queue.

Parameters:

abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost.

Raises:

• QueueAlreadyClosed – if the queue is not started, or has already been closed.
• RuntimeError – if closed or terminate event is missing.

IsBound()

Checks if the queue is bound to a port.

IsConnected()

Checks if the queue is connected to a port.

IsEmpty()

Checks if the queue is empty.

ZeroMQ queues don’t have a concept of “empty” - there could always be messages on the queue that a producer or consumer is unaware of. Thus, the queue is never empty, so we return False. Note that it is possible that a queue is unable to pop an item from a queue within a timeout, which will cause PopItem to raise a QueueEmpty exception, but this is a different condition.

Returns:False, to indicate the the queue isn’t empty. Return type:bool

Open()

Opens this queue, causing the creation of a ZeroMQ socket.

Raises:QueueAlreadyStarted – if the queue is already started, and a socket already exists.

PopItem()

Pops an item off the queue.

Returns:item from the queue. Return type:object Raises:QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout.

PushItem(item, block=True)

Pushes an item on to the queue.

Parameters:

• item (object) – item to push on the queue.
• block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises:

QueueAlreadyClosed – if the queue is closed.

SOCKET_CONNECTION_BIND = 1

SOCKET_CONNECTION_CONNECT = 2

SOCKET_CONNECTION_TYPE = None

class plaso.engine.zeromq_queue.ZeroMQRequestConnectQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQRequestQueue

A Plaso queue backed by a ZeroMQ REQ socket that connects to a port.

This queue may only be used to pop items, not to push.

SOCKET_CONNECTION_TYPE = 2

class plaso.engine.zeromq_queue.ZeroMQRequestQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for Plaso queues backed by ZeroMQ REQ sockets.

This class should not be instantiated directly, a subclass should be instantiated instead.

Instances of this class or subclasses may only be used to pop items, not to push.

PopItem()

Pops an item off the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Returns:

item from the queue.

Return type:

object

Raises:

• KeyboardInterrupt – if the process is sent a KeyboardInterrupt while popping an item.
• QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout.
• RuntimeError – if terminate event is missing.
• zmq.error.ZMQError – if an error occurs in ZeroMQ.

PushItem(item, block=True)

Pushes an item on to the queue.

Provided for compatibility with the API, but doesn’t actually work.

Parameters:

• item (object) – item to push on the queue.
• block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises:

WrongQueueType – As Push is not supported this queue.

Module contents

plaso.filters package

Submodules

plaso.filters.dynamic_filter module

The dynamic event object filter.

class plaso.filters.dynamic_filter.DynamicFilter

Bases: plaso.filters.event_filter.EventObjectFilter

Event filter that supports selective output fields.

This filter is essentially the same as the event object filter except it wraps it in a selection of which fields should be included by an output module that supports selective fields, e.g.

SELECT field_a, field_b WHERE attribute contains ‘text’

Will use the event object filter “attribute contains ‘text’” and at the same time indicate to the appropriate output module that the user wants only the fields field_a and field_b to be used in the output.

CompileFilter(filter_expression)

Compiles the filter expression.

The filter expression contains an object filter expression extended with selective field selection.

Parameters:filter_expression (str) – filter expression. Raises:WrongPlugin – if the filter could not be compiled.

fields

list[str] – output fields.

limit

int – row limit.

separator

str – output field separator.

class plaso.filters.dynamic_filter.SelectiveLexer(data='')

Bases: plaso.lib.lexer.Lexer

Selective filter lexer implementation.

The selective (or dynamic) filter allow to construct filter expressions like:

SELECT field_a, field_b WHERE attribute contains ‘text’

SetFields(match, **unused_kwargs)

Sets the output fields.

The output fields is the part of the filter expression directly following the SELECT statement.

Parameters:match (re.MatchObject) – a match that contains the output field names.

SetFilter(match, **unused_kwargs)

Set the filter query.

The filter query is the part of the filter expression directly following the WHERE statement.

Parameters:match (re.MatchObject) – a match that contains the filter query.

SetLimit(match, **unused_kwargs)

Sets the row limit.

Parameters:match (re.MatchObject) – a match that contains the row limit.

SetSeparator(match, **unused_kwargs)

Sets the output field separator.

Parameters:match (re.MatchObject) – a match contains the output field separate. Note that only the first character is used.

tokens = [<plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>]

plaso.filters.event_filter module

The event filter.

class plaso.filters.event_filter.EventObjectFilter

Bases: plaso.filters.interface.FilterObject

Event filter.

CompileFilter(filter_expression)

Compiles the filter expression.

The filter expression contains an object filter expression.

Parameters:filter_expression (str) – filter expression. Raises:WrongPlugin – if the filter could not be compiled.

Match(event)

Determines if an event matches the filter.

Parameters:event (EventObject) – an event. Returns:True if the event matches the filter. Return type:bool

plaso.filters.file_entry module

File entry filters.

class plaso.filters.file_entry.DateTimeFileEntryFilter

Bases: plaso.filters.file_entry.FileEntryFilter

Date and time-based file entry filter.

AddDateTimeRange(time_value, start_time_string=None, end_time_string=None)

Adds a date time filter range.

The time strings are formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and timezone offset are optional. The default timezone is UTC.

Parameters:

• time_value (str) – time value, such as, atime, ctime, crtime, dtime, bkup and mtime.
• start_time_string (str) – start date and time value string.
• end_time_string (str) – end date and time value string.

Raises:

ValueError – If the filter is badly formed.

Matches(file_entry)

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare. Returns:

True if the file entry matches the filter, False if not or

None if the filter does not apply.

Return type:bool

Print(output_writer)

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.ExtensionsFileEntryFilter(extensions)

Bases: plaso.filters.file_entry.FileEntryFilter

Extensions-based file entry filter.

Matches(file_entry)

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare. Returns:

True if the file entry matches the filter, False if not or

None if the filter does not apply.

Return type:bool

Print(output_writer)

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.FileEntryFilter

Bases: object

File entry filter interface.

Matches(file_entry)

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare. Returns:

True if the file entry matches the filter, False if not or

None if the filter does not apply.

Return type:bool

Print(output_writer)

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.FileEntryFilterCollection

Bases: object

Collection of file entry filters.

AddFilter(file_entry_filter)

Adds a file entry filter to the collection.

Parameters:file_entry_filter (FileEntryFilter) – file entry filter.

HasFilters()

Determines if filters are defined.

Returns:True if filters are defined. Return type:bool

Matches(file_entry)

Compares the file entry against the filter collection.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare. Returns:

True if the file entry matches one of the filters. If no filters

are provided or applicable the result will be True.

Return type:bool

Print(output_writer)

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.NamesFileEntryFilter(names)

Bases: plaso.filters.file_entry.FileEntryFilter

Names-based file entry filter.

Matches(file_entry)

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare. Returns:True if the file entry matches the filter. Return type:bool

Print(output_writer)

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.SignaturesFileEntryFilter(specification_store, signature_identifiers)

Bases: plaso.filters.file_entry.FileEntryFilter

Signature-based file entry filter.

Matches(file_entry)

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare. Returns:

True if the file entry matches the filter, False if not or

None if the filter does not apply.

Return type:bool

Print(output_writer)

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.

plaso.filters.filter_list module

List of object-filters.

class plaso.filters.filter_list.ObjectFilterList

Bases: plaso.filters.interface.FilterObject

A list of object-filters with additional metadata.

CompileFilter(filter_expression)

Compiles the filter expression.

The filter expression contains the name of a YAML file.

Parameters:filter_expression (str) – filter expression. Raises:WrongPlugin – if the filter could not be compiled.

Match(event)

Determines if an event object matches the filter.

Parameters:event (EventObject) – event. Returns:True if the filter matched. Return type:bool

plaso.filters.interface module

Filter interface.

class plaso.filters.interface.FilterObject

Bases: object

Filter object interface.

CompileFilter(filter_expression)

Compiles the filter expression.

Parameters:filter_expression (str) – filter expression. Raises:WrongPlugin – if the filter could not be compiled.

Match(event)

Determines if an event matches the filter.

Parameters:event (EventObject) – event. Returns:True if the there is a match. Return type:bool

fields

list[str] – name of the fields.

filter_expression

object – compiled filter expression or None.

filter_name

str – name of the filter.

limit

int – row limit.

separator

str – output field separator.

plaso.filters.manager module

This file contains the event filters manager class.

class plaso.filters.manager.FiltersManager

Bases: object

Filters manager.

classmethod DeregisterFilter(filter_class)

Deregisters a filter class.

The filter classes are identified based on their lower case filter name.

Parameters:filter_class (type) – class object of the filter. Raises:KeyError – if filter class is not set for the corresponding filter name.

classmethod GetFilterObject(filter_expression)

Creates instances of specific filters.

Parameters:filter_expression (str) – filter expression. Returns:

the first filter found matching the filter string or

None if no corresponding filter is available.

Return type:FilterObject

classmethod GetFilterObjects()

Creates instances of the available filters.

Returns:available filters. Return type:list[FilterObject]

classmethod RegisterFilter(filter_class)

Registers a filter class.

The filter classes are identified based on their lower case filter name.

Parameters:filter_class (type) – class object of the filter. Raises:KeyError – if filter class is already set for the corresponding filter name.

classmethod RegisterFilters(filter_classes)

Registers filter classes.

The filter classes are identified based on their lower case filter name.

Parameters:filter_classes (list[type]) – class objects of the filters. Raises:KeyError – if filter class is already set for the corresponding filter name.

plaso.filters.path_filter module

A scan tree-based path filter implementation.

The scan tree is a tree based on multiple paths that contains the path segments per node. The most significant path segment is at the root and therefore compared first. More information can be found here: https://github.com/libyal/libsigscan/wiki/Internals #scanning-tree-based-signature-scanning

The scan tree is used in the filter to filter provided paths.

class plaso.filters.path_filter.PathFilterScanTree(paths, case_sensitive=True, path_segment_separator='/')

Bases: object

Class that implements a path filter scan tree.

CheckPath(path, path_segment_separator=None)

Checks if a path matches the scan tree-based path filter.

Parameters:

• path – a string containing the path.
• path_segment_separator – optional string containing the path segment separator. None defaults to the path segment separator that was set when the path filter scan tree was initialized.

Returns:

A boolean indicating if the path matches the filter.

class plaso.filters.path_filter.PathFilterScanTreeNode(path_segment_index)

Bases: object

Class that implements a path filter scan tree node.

The path filter scan tree node defines the path segments for a specific path segment index to filter. Each path segment will point to a scan object that indicates the next part of the path filter. A default value indicates the scan object to use next when there was no match.

default_value

the default scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.

parent

the parent path filter scan tree node or None.

path_segment_index

an integer containing the path segment index represented by the node.

AddPathSegment(path_segment, scan_object)

Adds a path segment.

Parameters:

• path_segment – a string containing the path segment.
• scan_object – a scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.

Raises:

ValueError – if the node already contains a scan object for the path segment.

GetScanObject(path_segment)

Retrieves the scan object for a specific path segment.

Parameters:path_segment – a string containing the path segment. Returns:A scan object, which can be a scan tree sub node (instance of PathFilterScanTreeNode), a path or the default value.

SetDefaultValue(scan_object)

Sets the default (non-match) value.

Parameters:

scan_object – a scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.

Raises:

• TypeError – if the scan object is of an unsupported type.
• ValueError – if the default value is already set.

ToDebugString(indentation_level=1)

Converts the path filter scan tree node into a debug string.

Parameters:indentation_level – an integer containing the text indentation level. Returns:A string containing a debug representation of the path filter scan tree node.

path_segments

A list of strings containing the path segments.

Module contents

This file imports Python modules that register filters.

plaso.formatters package

Submodules

plaso.formatters.amcache module

The Windows Registry Amcache entries event formatter.

class plaso.formatters.amcache.AmcacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Windows Registry event.

DATA_TYPE = 'windows:registry:amcache'

FORMAT_STRING_PIECES = ['path: {full_path}', 'sha1: {sha1}', 'productname: {productname}', 'companyname: {companyname}', 'fileversion: {fileversion}', 'languagecode: {languagecode}', 'filesize: {filesize}', 'filedescription: {filedescription}', 'linkerts: {linkerts}', 'lastmodifiedts: {lastmodifiedts}', 'createdts: {createdts}', 'programid: {programid}']

FORMAT_STRING_SHORT_PIECES = ['path: {full_path}']

SOURCE_LONG = 'Amcache Registry Entry'

SOURCE_SHORT = 'AMCACHE'

class plaso.formatters.amcache.AmcacheProgramsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Programs Windows Registry event.

DATA_TYPE = 'windows:registry:amcache:programs'

FORMAT_STRING_PIECES = ['name: {name}', 'version: {version}', 'publisher: {publisher}', 'languagecode: {languagecode}', 'entrytype: {entrytype}', 'uninstallkey: {uninstallkey}', 'filepaths: {filepaths}', 'productcode: {productcode}', 'packagecode: {packagecode}', 'msiproductcode: {msiproductcode}', 'msipackagecode: {msipackagecode}', 'files: {files}']

FORMAT_STRING_SHORT_PIECES = ['name: {name}']

SOURCE_LONG = 'Amcache Programs Registry Entry'

SOURCE_SHORT = 'AMCACHEPROGRAM'

plaso.formatters.android_app_usage module

The Android Application Usage event formatter.

class plaso.formatters.android_app_usage.AndroidApplicationFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Application Last Resumed event.

DATA_TYPE = 'android:event:last_resume_time'

FORMAT_STRING_PIECES = ['Package: {package}', 'Component: {component}']

SOURCE_LONG = 'Android App Usage'

SOURCE_SHORT = 'LOG'

plaso.formatters.android_calls module

The Android contacts2.db database event formatter.

class plaso.formatters.android_calls.AndroidCallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android call history event.

DATA_TYPE = 'android:event:call'

FORMAT_STRING_PIECES = ['{call_type}', 'Number: {number}', 'Name: {name}', 'Duration: {duration} seconds']

FORMAT_STRING_SHORT_PIECES = ['{call_type} Call']

SOURCE_LONG = 'Android Call History'

SOURCE_SHORT = 'LOG'

plaso.formatters.android_sms module

The Android mmssms.db database event formatter.

class plaso.formatters.android_sms.AndroidSmsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android SMS event.

DATA_TYPE = 'android:messaging:sms'

FORMAT_STRING_PIECES = ['Type: {sms_type}', 'Address: {address}', 'Status: {sms_read}', 'Message: {body}']

FORMAT_STRING_SHORT_PIECES = ['{body}']

SOURCE_LONG = 'Android SMS messages'

SOURCE_SHORT = 'SMS'

plaso.formatters.android_webview module

The Android WebView database event formatter.

class plaso.formatters.android_webview.AndroidWebViewCookieEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebView Cookie event data.

DATA_TYPE = 'webview:cookie'

FORMAT_STRING_PIECES = ['Domain: {domain}', 'Path: {path}', 'Cookie name: {name}', 'Value: {value}', 'Secure: {secure}']

FORMAT_STRING_SHORT_PIECES = ['{domain}', '{name}', '{value}']

SOURCE_LONG = 'Android WebView'

SOURCE_SHORT = 'WebView'

plaso.formatters.android_webviewcache module

The Android WebViewCache database event formatter.

class plaso.formatters.android_webviewcache.AndroidWebViewCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebViewCache event data.

DATA_TYPE = 'android:webviewcache'

FORMAT_STRING_PIECES = ['URL: {url}', 'Content Length: {content_length}']

FORMAT_STRING_SHORT_PIECES = ['{url}']

SOURCE_LONG = 'Android WebViewCache'

SOURCE_SHORT = 'WebViewCache'

plaso.formatters.apache_access module

Apache access log file event formatter.

class plaso.formatters.apache_access.ApacheAccessFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a apache access log event.

DATA_TYPE = 'apache:access'

FORMAT_STRING_PIECES = ['http_request: {http_request}', 'from: {ip_address}', 'code: {http_response_code}', 'referer: {http_request_referer}', 'user_agent: {http_request_user_agent}']

FORMAT_STRING_SHORT_PIECES = ['{http_request}', 'from: {ip_address}']

SOURCE_LONG = 'Apache Access'

SOURCE_SHORT = 'LOG'

plaso.formatters.appcompatcache module

The Windows Registry AppCompatCache entries event formatter.

class plaso.formatters.appcompatcache.AppCompatCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an AppCompatCache Windows Registry event.

DATA_TYPE = 'windows:registry:appcompatcache'

FORMAT_STRING_PIECES = ['[{key_path}]', 'Cached entry: {entry_index}', 'Path: {path}']

FORMAT_STRING_SHORT_PIECES = ['Path: {path}']

SOURCE_LONG = 'AppCompatCache Registry Entry'

SOURCE_SHORT = 'REG'

plaso.formatters.appusage module

The MacOS application usage event formatter.

class plaso.formatters.appusage.ApplicationUsageFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MacOS Application usage event.

DATA_TYPE = 'macosx:application_usage'

FORMAT_STRING = '{application} v.{app_version} (bundle: {bundle_id}). Launched: {count} time(s)'

FORMAT_STRING_SHORT = '{application} ({count} time(s))'

SOURCE_LONG = 'Application Usage'

SOURCE_SHORT = 'LOG'

plaso.formatters.asl module

The Apple System Log (ASL) event formatter.

class plaso.formatters.asl.ASLFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Apple System Log (ASL) log event.

DATA_TYPE = 'mac:asl:event'

FORMAT_STRING_PIECES = ['MessageID: {message_id}', 'Level: {level}', 'User ID: {user_sid}', 'Group ID: {group_id}', 'Read User: {read_uid}', 'Read Group: {read_gid}', 'Host: {computer_name}', 'Sender: {sender}', 'Facility: {facility}', 'Message: {message}', '{extra_information}']

FORMAT_STRING_SHORT_PIECES = ['Host: {host}', 'Sender: {sender}', 'Facility: {facility}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'ASL entry'

SOURCE_SHORT = 'LOG'

plaso.formatters.bash_history module

The Bash history event formatter.

class plaso.formatters.bash_history.BashHistoryEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for Bash history events.

DATA_TYPE = 'bash:history:command'

FORMAT_STRING = 'Command executed: {command}'

FORMAT_STRING_SHORT = '{command}'

SOURCE_LONG = 'Bash History'

SOURCE_SHORT = 'LOG'

plaso.formatters.bencode_parser module

The bencode parser event formatters.

class plaso.formatters.bencode_parser.TransmissionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Transmission active torrents event.

DATA_TYPE = 'p2p:bittorrent:transmission'

FORMAT_STRING_PIECES = ['Saved to {destination}', 'Minutes seeded: {seedtime}']

FORMAT_STRING_SEPARATOR = '; '

SOURCE_LONG = 'Transmission Active Torrents'

SOURCE_SHORT = 'TORRENT'

class plaso.formatters.bencode_parser.UTorrentEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BitTorrent uTorrent active torrents event.

DATA_TYPE = 'p2p:bittorrent:utorrent'

FORMAT_STRING_PIECES = ['Torrent {caption}', 'Saved to {path}', 'Minutes seeded: {seedtime}']

FORMAT_STRING_SEPARATOR = '; '

SOURCE_LONG = 'uTorrent Active Torrents'

SOURCE_SHORT = 'TORRENT'

plaso.formatters.bsm module

The Basic Security Module (BSM) binary files event formatter.

class plaso.formatters.bsm.BSMFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BSM log entry.

DATA_TYPE = 'bsm:event'

FORMAT_STRING_PIECES = ['Type: {event_type_string}', '({event_type})', 'Return: {return_value}', 'Information: {extra_tokens}']

FORMAT_STRING_SHORT_PIECES = ['Type: {event_type}', 'Return: {return_value}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'BSM entry'

SOURCE_SHORT = 'LOG'

plaso.formatters.ccleaner module

The CCleaner event formatter.

class plaso.formatters.ccleaner.CCleanerUpdateEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CCleaner update event.

DATA_TYPE = 'ccleaner:update'

FORMAT_STRING_PIECES = ['Origin: {key_path}']

FORMAT_STRING_SHORT_PIECES = ['Origin: {key_path}']

SOURCE_LONG = 'System'

SOURCE_SHORT = 'LOG'

plaso.formatters.chrome module

The Google Chrome history event formatters.

class plaso.formatters.chrome.ChromeFileDownloadFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome file download event.

DATA_TYPE = 'chrome:history:file_downloaded'

FORMAT_STRING_PIECES = ['{url}', '({full_path}).', 'Received: {received_bytes} bytes', 'out of: {total_bytes} bytes.']

FORMAT_STRING_SHORT_PIECES = ['{full_path} downloaded', '({received_bytes} bytes)']

SOURCE_LONG = 'Chrome History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.chrome.ChromePageVisitedFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome page visited event.

DATA_TYPE = 'chrome:history:page_visited'

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {typed_count}]', 'Visit from: {from_visit}', 'Visit Source: [{visit_source}]', 'Type: [{page_transition}]', '{extra}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '({title})']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome History'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_autofill module

The Google Chrome autofill database event formatter.

class plaso.formatters.chrome_autofill.ChromeAutofillFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome autofill event.

DATA_TYPE = 'chrome:autofill:entry'

FORMAT_STRING_PIECES = ['Form field name: {field_name}', 'Entered value: {value}', 'Times used: {usage_count}']

FORMAT_STRING_SHORT_PIECES = ['{field_name}:', '{value}', '({usage_count})']

SOURCE_LONG = 'Chrome Autofill'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_cache module

The Google Chrome Cache files event formatter.

class plaso.formatters.chrome_cache.ChromeCacheEntryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome Cache entry event.

DATA_TYPE = 'chrome:cache:entry'

FORMAT_STRING_PIECES = ['Original URL: {original_url}']

SOURCE_LONG = 'Chrome Cache'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_cookies module

The Google Chrome cookies database event formatter.

class plaso.formatters.chrome_cookies.ChromeCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome cookie event.

DATA_TYPE = 'chrome:cookie:entry'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Flags:', '[HTTP only] = {httponly}', '[Persistent] = {persistent}']

FORMAT_STRING_SHORT_PIECES = ['{host}', '({cookie_name})']

SOURCE_LONG = 'Chrome Cookies'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_extension_activity module

The Google Chrome extension activity database event formatter.

class plaso.formatters.chrome_extension_activity.ChromeExtensionActivityEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension activity event.

DATA_TYPE = 'chrome:extension_activity:activity_log'

FORMAT_STRING_PIECES = ['Chrome extension: {extension_id}', 'Action type: {action_type}', 'Activity identifier: {activity_id}', 'Page URL: {page_url}', 'Page title: {page_title}', 'API name: {api_name}', 'Args: {args}', 'Other: {other}']

FORMAT_STRING_SHORT_PIECES = ['{extension_id}', '{api_name}', '{args}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Extension Activity'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_preferences module

The Google Chrome Preferences file event formatter.

class plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome content_settings exceptions event.

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'

FORMAT_STRING_PIECES = ['Permission {permission}', 'used by {subject}']

FORMAT_STRING_SHORT_PIECES = ['Permission {permission}', 'used by {subject}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Permission Event'

SOURCE_SHORT = 'LOG'

class plaso.formatters.chrome_preferences.ChromeExtensionInstallationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension installation event.

DATA_TYPE = 'chrome:preferences:extension_installation'

FORMAT_STRING_PIECES = ['CRX ID: {extension_id}', 'CRX Name: {extension_name}', 'Path: {path}']

FORMAT_STRING_SHORT_PIECES = ['{extension_id}', '{path}']

SOURCE_LONG = 'Chrome Extension Installation'

SOURCE_SHORT = 'LOG'

class plaso.formatters.chrome_preferences.ChromeExtensionsAutoupdaterEvent

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome Extensions Autoupdater events.

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'

FORMAT_STRING_PIECES = ['{message}']

FORMAT_STRING_SHORT_PIECES = ['{message}']

SOURCE_LONG = 'Chrome Extensions Autoupdater'

SOURCE_SHORT = 'LOG'

class plaso.formatters.chrome_preferences.ChromePreferencesClearHistoryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome history clearing events.

DATA_TYPE = 'chrome:preferences:clear_history'

FORMAT_STRING_PIECES = ['{message}']

FORMAT_STRING_SHORT_PIECES = ['{message}']

SOURCE_LONG = 'Chrome History Deletion'

SOURCE_SHORT = 'LOG'

plaso.formatters.cron module

The syslog cron formatters.

class plaso.formatters.cron.CronTaskRunEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog cron task run event.

DATA_TYPE = 'syslog:cron:task_run'

FORMAT_STRING_PIECES = ['Cron ran: {command}', 'for user: {username}', 'pid: {pid}']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT = '{body}'

SOURCE_LONG = 'Cron log'

SOURCE_SHORT = 'LOG'

plaso.formatters.cups_ipp module

The CUPS IPP file event formatter.

class plaso.formatters.cups_ipp.CupsIppFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CUPS IPP event.

DATA_TYPE = 'cups:ipp:event'

FORMAT_STRING_PIECES = ['Status: {status}', 'User: {user}', 'Owner: {owner}', 'Job Name: {job_name}', 'Application: {application}', 'Document type: {type_doc}', 'Printer: {printer_id}']

FORMAT_STRING_SHORT_PIECES = ['Status: {status}', 'Job Name: {job_name}']

SOURCE_LONG = 'CUPS IPP Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'

FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'

FORMAT_STRING_SHORT = '<DEFAULT> {attribute_driven}'

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

plaso.formatters.docker module

The Docker event formatter.

class plaso.formatters.docker.DockerBaseEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class that contains common Docker event formatter functionality.

DATA_TYPE = 'docker:json'

FORMAT_STRING_SHORT_PIECES = ['{id}']

SOURCE_SHORT = 'DOCKER'

class plaso.formatters.docker.DockerContainerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker event.

DATA_TYPE = 'docker:json:container'

FORMAT_STRING_PIECES = ['Action: {action}', 'Container Name: {container_name}', 'Container ID: {container_id}']

FORMAT_STRING_SEPARATOR = ', '

SOURCE_LONG = 'Docker Container'

SOURCE_SHORT = 'DOCKER'

class plaso.formatters.docker.DockerContainerLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker container log event

DATA_TYPE = 'docker:json:container:log'

FORMAT_STRING_PIECES = ('Text: {log_line}', 'Container ID: {container_id}', 'Source: {log_source}')

FORMAT_STRING_SEPARATOR = ', '

SOURCE_LONG = 'Docker Container Logs'

SOURCE_SHORT = 'DOCKER'

class plaso.formatters.docker.DockerLayerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker layer event.

DATA_TYPE = 'docker:json:layer'

FORMAT_STRING_PIECES = ('Command: {command}', 'Layer ID: {layer_id}')

FORMAT_STRING_SEPARATOR = ', '

SOURCE_LONG = 'Docker Layer'

SOURCE_SHORT = 'DOCKER'

plaso.formatters.dpkg module

The dpkg.log event formatter.

class plaso.formatters.dpkg.DpkgFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a dpkg log file event.

DATA_TYPE = 'dpkg:line'

FORMAT_STRING_PIECES = ['{body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'dpkg log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.file_history module

The file history ESE database event formatter.

class plaso.formatters.file_history.FileHistoryNamespaceEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a file history ESE database namespace table record.

DATA_TYPE = 'file_history:namespace:event'

FORMAT_STRING_PIECES = ['Filename: {original_filename}', 'Identifier: {identifier}', 'Parent Identifier: {parent_identifier}', 'Attributes: {file_attribute}', 'USN number: {usn_number}']

FORMAT_STRING_SHORT_PIECES = ['Filename: {original_filename}']

SOURCE_LONG = 'File History Namespace'

SOURCE_SHORT = 'LOG'

plaso.formatters.file_system module

The file system stat event formatter.

class plaso.formatters.file_system.FileStatEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The file system stat event formatter.

DATA_TYPE = 'fs:stat'

FORMAT_STRING_PIECES = ['{display_name}', 'Type: {file_entry_type}', '({unallocated})']

FORMAT_STRING_SHORT_PIECES = ['{filename}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

GetSources(event)

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event. Returns:short and long source string. Return type:tuple(str, str) Raises:WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'

class plaso.formatters.file_system.NTFSFileStatEventFormatter

Bases: plaso.formatters.file_system.FileStatEventFormatter

The NTFS file system stat event formatter.

DATA_TYPE = 'fs:stat:ntfs'

FORMAT_STRING_PIECES = ['{display_name}', 'File reference: {file_reference}', 'Attribute name: {attribute_name}', 'Name: {name}', 'Parent file reference: {parent_file_reference}', '({unallocated})']

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{attribute_name}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'

class plaso.formatters.file_system.NTFSUSNChangeEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The NTFS USN change event formatter.

DATA_TYPE = 'fs:ntfs:usn_change'

FORMAT_STRING_PIECES = ['{filename}', 'File reference: {file_reference}', 'Parent file reference: {parent_file_reference}', 'Update source: {update_source}', 'Update reason: {update_reason}']

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{update_reason}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'

plaso.formatters.firefox module

The Mozilla Firefox history event formatter.

class plaso.formatters.firefox.FirefoxBookmarkAnnotationFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox bookmark annotation event formatter.

DATA_TYPE = 'firefox:places:bookmark_annotation'

FORMAT_STRING_PIECES = ['Bookmark Annotation: [{content}]', 'to bookmark [{title}]', '({url})']

FORMAT_STRING_SHORT_PIECES = ['Bookmark Annotation: {title}']

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.firefox.FirefoxBookmarkFolderFormatter

Bases: plaso.formatters.interface.EventFormatter

The Firefox bookmark folder event formatter.

DATA_TYPE = 'firefox:places:bookmark_folder'

FORMAT_STRING = '{title}'

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.firefox.FirefoxBookmarkFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox URL bookmark event formatter.

DATA_TYPE = 'firefox:places:bookmark'

FORMAT_STRING_PIECES = ['Bookmark {type}', '{title}', '({url})', '[{places_title}]', 'visit count {visit_count}']

FORMAT_STRING_SHORT_PIECES = ['Bookmarked {title}', '({url})']

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.firefox.FirefoxDowloadFormatter

Bases: plaso.formatters.interface.EventFormatter

The Firefox download event formatter.

DATA_TYPE = 'firefox:downloads:download'

FORMAT_STRING = '{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.'

FORMAT_STRING_SHORT = '{full_path} downloaded ({received_bytes} bytes)'

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.firefox.FirefoxPageVisitFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox page visited event formatter.

DATA_TYPE = 'firefox:places:page_visited'

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {visit_count}]', 'Host: {host}', '{extra_string}']

FORMAT_STRING_SHORT_PIECES = ['URL: {url}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.firefox_cache module

The Firefox cache record event formatter.

class plaso.formatters.firefox_cache.FirefoxCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cache record event formatter.

DATA_TYPE = 'firefox:cache:record'

FORMAT_STRING_PIECES = ['Fetched {fetch_count} time(s)', '[{response_code}]', '{request_method}', '"{url}"']

FORMAT_STRING_SHORT_PIECES = ['[{response_code}]', '{request_method}', '"{url}"']

SOURCE_LONG = 'Firefox Cache'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.firefox_cookies module

The Firefox cookie entry event formatter.

class plaso.formatters.firefox_cookies.FirefoxCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cookie entry event formatter.

DATA_TYPE = 'firefox:cookie:entry'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Flags:', '[HTTP only]: {httponly}', '(GA analysis: {ga_data})']

FORMAT_STRING_SHORT_PIECES = ['{host}', '({cookie_name})']

SOURCE_LONG = 'Firefox Cookies'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.fseventsd module

The fseventsd event formatter.

class plaso.formatters.fseventsd.FSEventsdEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The fseventsd event formatter.

DATA_TYPE = 'macos:fseventsd:record'

FORMAT_STRING_PIECES = ['{path}', 'Flag Values:', '{flag_values}', 'Flags:', '{hex_flags}', 'Event Identifier:', '{event_identifier}']

FORMAT_STRING_SHORT_PIECES = ['{path}', '{flag_values}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_SHORT = 'FSEVENT'

plaso.formatters.ganalytics module

The Google Analytics cookie event formatters.

class plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The UTMA Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utma'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Visitor ID: {visitor_id}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']

SOURCE_LONG = 'Google Analytics Cookies'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.ganalytics.AnalyticsUtmbCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMB Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmb'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Pages Viewed: {pages_viewed}', 'Domain Hash: {domain_hash}']

class plaso.formatters.ganalytics.AnalyticsUtmtCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMT Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmt'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})']

class plaso.formatters.ganalytics.AnalyticsUtmzCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMZ Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmz'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Sources: {sources}', 'Last source used to access: {utmcsr}', 'Ad campaign information: {utmccn}', 'Last type of visit: {utmcmd}', 'Keywords used to find site: {utmctr}', 'Path to the page of referring link: {utmcct}']

plaso.formatters.gdrive module

The Google Drive snapshots event formatter.

class plaso.formatters.gdrive.GDriveCloudEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot cloud event.

DATA_TYPE = 'gdrive:snapshot:cloud_entry'

FORMAT_STRING_PIECES = ['File Path: {path}', '[{shared}]', 'Size: {size}', 'URL: {url}', 'Type: {document_type}']

FORMAT_STRING_SHORT_PIECES = ['{path}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Google Drive (cloud entry)'

SOURCE_SHORT = 'LOG'

class plaso.formatters.gdrive.GDriveLocalEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot local event.

DATA_TYPE = 'gdrive:snapshot:local_entry'

FORMAT_STRING_PIECES = ['File Path: {path}', 'Size: {size}']

FORMAT_STRING_SHORT_PIECES = ['{path}']

SOURCE_LONG = 'Google Drive (local entry)'

SOURCE_SHORT = 'LOG'

plaso.formatters.gdrive_synclog module

Google Drive Sync log event formatter.

class plaso.formatters.gdrive_synclog.GoogleDriveSyncLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive Sync log file event.

DATA_TYPE = 'gdrive_sync:log:line'

FORMAT_STRING_PIECES = ['[{log_level}', '{pid}', '{thread}', '{source_code}]', '{message}']

FORMAT_STRING_SHORT_PIECES = ['{message}']

SOURCE_LONG = 'GoogleDriveSync Log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.hachoir module

The Hachoir event formatter.

class plaso.formatters.hachoir.HachoirFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Hachoir event.

DATA_TYPE = 'metadata:hachoir'

FORMAT_STRING = '{data}'

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Hachoir Metadata'

SOURCE_SHORT = 'META'

plaso.formatters.hangouts_messages module

The Google Hangouts messages database event formatter.

class plaso.formatters.hangouts_messages.HangoutsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Hangouts message event.

DATA_TYPE = 'android:messaging:hangouts'

FORMAT_STRING_PIECES = ['Sender: {sender}', 'Body: {body}', 'Status: {message_status}', 'Type: {message_type}']

FORMAT_STRING_SHORT_PIECES = ['{body}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters:

• unused_formatter_mediator (FormatterMediator) – not used.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Google Hangouts Message'

SOURCE_SHORT = 'HANGOUTS'

VALUE_FORMATTERS = {'message_status': <function HangoutsFormatter.<lambda> at 0x7f6c5313f0d0>, 'message_type': <function HangoutsFormatter.<lambda> at 0x7f6c5313f048>}

plaso.formatters.iis module

The Microsoft IIS log file event formatter.

class plaso.formatters.iis.IISLogFileEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft IIS log file event.

DATA_TYPE = 'iis:log:line'

FORMAT_STRING_PIECES = ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']', 'HTTP Status: {http_status}', 'Bytes Sent: {sent_bytes}', 'Bytes Received: {received_bytes}', 'User Agent: {user_agent}', 'Protocol Version: {protocol_version}']

FORMAT_STRING_SHORT_PIECES = ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']']

SOURCE_LONG = 'IIS Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.imessage module

The iMessage chat.db (OSX) and sms.db (iOS)database event formatter.

class plaso.formatters.imessage.IMessageFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iMessage and SMS event.

DATA_TYPE = 'imessage:event:chat'

FORMAT_STRING_PIECES = ['Row ID: {identifier}', 'iMessage ID: {imessage_id}', 'Read Receipt: {read_receipt}', 'Message Type: {message_type}', 'Service: {service}', 'Attachment Location: {attachment_location}', 'Message Content: {text}']

FORMAT_STRING_SHORT_PIECES = ['{text}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Apple iMessage Application'

SOURCE_SHORT = 'iMessage'

plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.ConditionalEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Base class to conditionally format event data using format string pieces.

Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter (EventFormatter). Every format string piece should contain a single attribute name or none.

FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should be joined. It contains a space by default.

FORMAT_STRING_PIECES = ['']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['']

GetFormatStringAttributeNames()

Retrieves the attribute names in the format string.

Returns:attribute names. Return type:set(str)

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

class plaso.formatters.interface.EventFormatter

Bases: object

Base class to format event type specific data using a format string.

Define the (long) format string and the short format string by defining FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.

DATA_TYPE = 'internal'

FORMAT_STRING = ''

FORMAT_STRING_SHORT = ''

GetFormatStringAttributeNames()

Retrieves the attribute names in the format string.

Returns:attribute names. Return type:set(str)

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

GetSources(event)

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event. Returns:short and long source string. Return type:tuple(str, str) Raises:WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = ''

SOURCE_SHORT = 'LOG'

plaso.formatters.ipod module

The iPod device event formatter.

class plaso.formatters.ipod.IPodDeviceFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iPod device event.

DATA_TYPE = 'ipod:device:entry'

FORMAT_STRING_PIECES = ['Device ID: {device_id}', 'Type: {device_class}', '[{family_id}]', 'Connected {use_count} times', 'Serial nr: {serial_number}', 'IMEI [{imei}]']

SOURCE_LONG = 'iPod Connections'

SOURCE_SHORT = 'LOG'

plaso.formatters.java_idx module

The Java WebStart Cache IDX event formatter.

class plaso.formatters.java_idx.JavaIDXFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Java WebStart Cache IDX download event.

DATA_TYPE = 'java:download:idx'

FORMAT_STRING_PIECES = ['IDX Version: {idx_version}', 'Host IP address: ({ip_address})', 'Download URL: {url}']

SOURCE_LONG = 'Java Cache IDX'

SOURCE_SHORT = 'JAVA_IDX'

plaso.formatters.kik_ios module

The Kik kik.sqlite iOS database event formatter.

class plaso.formatters.kik_ios.KikIOSMessageFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iOS Kik message event.

DATA_TYPE = 'ios:kik:messaging'

FORMAT_STRING_PIECES = ['Username: {username}', 'Displayname: {displayname}', 'Status: {message_status}', 'Type: {message_type}', 'Message: {body}']

FORMAT_STRING_SHORT_PIECES = ['{body}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Kik iOS messages'

SOURCE_SHORT = 'Kik iOS'

plaso.formatters.kodi module

The Kodi MyVideos database event formatter.

class plaso.formatters.kodi.KodiFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Kodi Video event.

DATA_TYPE = 'kodi:videos:viewing'

FORMAT_STRING_PIECES = ['Video: {filename}', 'Play Count: {play_count}']

FORMAT_STRING_SHORT_PIECES = ['{filename}']

SOURCE_LONG = 'Kodi Video Viewed'

SOURCE_SHORT = 'KODI'

plaso.formatters.logger module

The formatters sub module logger.

plaso.formatters.ls_quarantine module

The MacOS launch services (LS) quarantine event formatter.

class plaso.formatters.ls_quarantine.LSQuarantineFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a launch services (LS) quarantine history event.

DATA_TYPE = 'macosx:lsquarantine'

FORMAT_STRING_PIECES = ['[{agent}]', 'Downloaded: {url}', '<{data}>']

FORMAT_STRING_SHORT_PIECES = ['{url}']

SOURCE_LONG = 'LS Quarantine Event'

SOURCE_SHORT = 'LOG'

plaso.formatters.mac_appfirewall module

The MacOS appfirewall.log file event formatter.

class plaso.formatters.mac_appfirewall.MacAppFirewallLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for MacOS appfirewall.log file event.

DATA_TYPE = 'mac:appfirewall:line'

FORMAT_STRING_PIECES = ['Computer: {computer_name}', 'Agent: {agent}', 'Status: {status}', 'Process name: {process_name}', 'Log: {action}']

FORMAT_STRING_SHORT_PIECES = ['Process name: {process_name}', 'Status: {status}']

SOURCE_LONG = 'Mac AppFirewall Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.mac_document_versions module

The MacOS Document Versions files event formatter.

class plaso.formatters.mac_document_versions.MacDocumentVersionsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Document Versions page visited event.

DATA_TYPE = 'mac:document_versions:file'

FORMAT_STRING_PIECES = ['Version of [{name}]', '({path})', 'stored in {version_path}', 'by {user_sid}']

FORMAT_STRING_SHORT_PIECES = ['Stored a document version of [{name}]']

SOURCE_LONG = 'Document Versions'

SOURCE_SHORT = 'HISTORY'

plaso.formatters.mac_keychain module

The MacOS keychain password database file event formatter.

class plaso.formatters.mac_keychain.KeychainApplicationRecordFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain application record event.

DATA_TYPE = 'mac:keychain:application'

FORMAT_STRING_PIECES = ['Name: {entry_name}', 'Account: {account_name}']

FORMAT_STRING_SHORT_PIECES = ['{entry_name}']

SOURCE_LONG = 'Keychain Application password'

SOURCE_SHORT = 'LOG'

class plaso.formatters.mac_keychain.KeychainInternetRecordFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain Internet record event.

DATA_TYPE = 'mac:keychain:internet'

FORMAT_STRING_PIECES = ['Name: {entry_name}', 'Account: {account_name}', 'Where: {where}', 'Protocol: {protocol}', '({type_protocol})']

FORMAT_STRING_SHORT_PIECES = ['{entry_name}']

SOURCE_LONG = 'Keychain Internet password'

SOURCE_SHORT = 'LOG'

plaso.formatters.mac_notificationcenter module

The MacOS Notification Center event formatter.

class plaso.formatters.mac_notificationcenter.MacNotificationCenterFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Notification Center event.

DATA_TYPE = 'mac:notificationcenter:db'

FORMAT_STRING_PIECES = ['Title: {title}', '(, subtitle: {subtitle}),', 'registered by: {bundle_name}.', 'Presented: {presented},', 'Content: {body}']

FORMAT_STRING_SHORT_PIECES = ['Title: {title},', 'Content: {body}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object. :param formatter_mediator: mediates the interactions between

formatters and other components

Parameters:event (EventObject) – event. Returns:formatted message string and short message string. Return type:tuple(str, str) Raises:WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Notification Center'

SOURCE_SHORT = 'NOTIFICATION'

plaso.formatters.mac_securityd module

The MacOS securityd log file event formatter.

class plaso.formatters.mac_securityd.MacOSSecuritydLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS securityd log event.

DATA_TYPE = 'mac:securityd:line'

FORMAT_STRING_PIECES = ['Sender: {sender}', '({sender_pid})', 'Level: {level}', 'Facility: {facility}', 'Text: {message}']

FORMAT_STRING_SHORT_PIECES = ['Text: {message}']

SOURCE_LONG = 'Mac Securityd Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.mac_wifi module

The MacOS wifi.log file event formatter.

class plaso.formatters.mac_wifi.MacWifiLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a wifi.log file event.

DATA_TYPE = 'mac:wifilog:line'

FORMAT_STRING_PIECES = ['Action: {action}', 'Agent: {agent}', '({function})', 'Log: {text}']

FORMAT_STRING_SHORT_PIECES = ['Action: {action}']

SOURCE_LONG = 'Mac Wifi Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.mackeeper_cache module

The MacKeeper Cache event formatter.

class plaso.formatters.mackeeper_cache.MacKeeperCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacKeeper Cache event.

DATA_TYPE = 'mackeeper:cache'

FORMAT_STRING_PIECES = ['{description}', '<{event_type}>', ':', '{text}', '[', 'URL: {url}', 'Event ID: {record_id}', 'Room: {room}', ']']

FORMAT_STRING_SHORT_PIECES = ['<{event_type}>', '{text}']

SOURCE_LONG = 'MacKeeper Cache'

SOURCE_SHORT = 'LOG'

plaso.formatters.mactime module

The Sleuthkit (TSK) bodyfile (or mactime) event formatter.

class plaso.formatters.mactime.MactimeFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a mactime event.

DATA_TYPE = 'fs:mactime:line'

FORMAT_STRING = '{filename}'

SOURCE_LONG = 'Mactime Bodyfile'

SOURCE_SHORT = 'FILE'

plaso.formatters.manager module

This file contains the event formatters manager class.

class plaso.formatters.manager.FormattersManager

Bases: object

Class that implements the formatters manager.

classmethod DeregisterFormatter(formatter_class)

Deregisters a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_class (type) – class of the formatter. Raises:KeyError – if formatter class is not set for the corresponding data type.

classmethod GetFormatterObject(data_type)

Retrieves the formatter object for a specific data type.

Parameters:data_type (str) – data type. Returns:

corresponding formatter or the default formatter if

not available.

Return type:EventFormatter

classmethod GetMessageStrings(formatter_mediator, event)

Retrieves the formatted message strings for a specific event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

long and short version of the message string.

Return type:

list[str, str]

classmethod GetSourceStrings(event)

Retrieves the formatted source strings for a specific event object.

Parameters:event (EventObject) – event. Returns:short and long version of the source of the event. Return type:list[str, str]

classmethod RegisterFormatter(formatter_class)

Registers a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_class (type) – class of the formatter. Raises:KeyError – if formatter class is already set for the corresponding data type.

classmethod RegisterFormatters(formatter_classes)

Registers formatter classes.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_classes (list[type]) – classes of the formatters. Raises:KeyError – if formatter class is already set for the corresponding data type.

plaso.formatters.mcafeeav module

The McAfee AV Logs file event formatter.

class plaso.formatters.mcafeeav.McafeeAccessProtectionLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a McAfee Access Protection Log event.

DATA_TYPE = 'av:mcafee:accessprotectionlog'

FORMAT_STRING_PIECES = ['File Name: {filename}', 'User: {username}', '{trigger_location}', '{status}', '{rule}', '{action}']

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{action}']

SOURCE_LONG = 'McAfee Access Protection Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.mediator module

The formatter mediator object.

class plaso.formatters.mediator.FormatterMediator(data_location=None)

Bases: object

Class that implements the formatter mediator.

DEFAULT_LANGUAGE_IDENTIFIER = 'en-US'

DEFAULT_LCID = 1033

GetWindowsEventMessage(log_source, message_identifier)

Retrieves the message string for a specific Windows Event Log source.

Parameters:

• log_source (str) – Event Log source, such as “Application Error”.
• message_identifier (int) – message identifier.

Returns:

message string or None if not available.

Return type:

str

SetPreferredLanguageIdentifier(language_identifier)

Sets the preferred language identifier.

Parameters:

language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic.

Raises:

• KeyError – if the language identifier is not defined.
• ValueError – if the language identifier is not a string type.

lcid

int – preferred Language Code identifier (LCID).

plaso.formatters.msie_webcache module

The MSIE WebCache ESE database event formatters.

class plaso.formatters.msie_webcache.MsieWebCacheContainerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Container_# table record.

DATA_TYPE = 'msie:webcache:container'

FORMAT_STRING_PIECES = ['URL: {url}', 'Redirect URL: {redirect_url}', 'Access count: {access_count}', 'Sync count: {sync_count}', 'Filename: {cached_filename}', 'File extension: {file_extension}', 'Cached file size: {cached_file_size}', 'Request headers: {request_headers}', 'Response headers: {response_headers}', 'Entry identifier: {entry_identifier}', 'Container identifier: {container_identifier}', 'Cache identifier: {cache_identifier}']

FORMAT_STRING_SHORT_PIECES = ['URL: {url}']

SOURCE_LONG = 'MSIE WebCache container record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCacheContainersEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Containers table record.

DATA_TYPE = 'msie:webcache:containers'

FORMAT_STRING_PIECES = ['Name: {name}', 'Directory: {directory}', 'Table: Container_{container_identifier}', 'Container identifier: {container_identifier}', 'Set identifier: {set_identifier}']

FORMAT_STRING_SHORT_PIECES = ['Directory: {directory}']

SOURCE_LONG = 'MSIE WebCache containers record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCacheLeakFilesEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database LeakFiles table record.

DATA_TYPE = 'msie:webcache:leak_file'

FORMAT_STRING_PIECES = ['Filename: {cached_filename}', 'Leak identifier: {leak_identifier}']

FORMAT_STRING_SHORT_PIECES = ['Filename: {cached_filename}']

SOURCE_LONG = 'MSIE WebCache partitions record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCachePartitionsEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Partitions table record.

DATA_TYPE = 'msie:webcache:partitions'

FORMAT_STRING_PIECES = ['Partition identifier: {partition_identifier}', 'Partition type: {partition_type}', 'Directory: {directory}', 'Table identifier: {table_identifier}']

FORMAT_STRING_SHORT_PIECES = ['Directory: {directory}']

SOURCE_LONG = 'MSIE WebCache partitions record'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.msiecf module

The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.

class plaso.formatters.msiecf.MsiecfItemFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIECF item event.

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

class plaso.formatters.msiecf.MsiecfLeakFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak item event.

DATA_TYPE = 'msiecf:leak'

FORMAT_STRING_PIECES = ['Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Cached file: {cached_file_path}']

SOURCE_LONG = 'MSIE Cache File leak record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msiecf.MsiecfRedirectedFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak redirected event.

DATA_TYPE = 'msiecf:redirected'

FORMAT_STRING_PIECES = ['Location: {url}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Location: {url}']

SOURCE_LONG = 'MSIE Cache File redirected record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msiecf.MsiecfUrlFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF URL item event.

DATA_TYPE = 'msiecf:url'

FORMAT_STRING_PIECES = ['Location: {url}', 'Number of hits: {number_of_hits}', 'Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', 'HTTP headers: {http_headers}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Location: {url}', 'Cached file: {cached_file_path}']

SOURCE_LONG = 'MSIE Cache File URL record'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.officemru module

The Microsoft Office MRU Windows Registry event formatter.

class plaso.formatters.officemru.OfficeMRUWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft Office MRU Windows Registry event.

DATA_TYPE = 'windows:registry:office_mru'

FORMAT_STRING_PIECES = ['[{key_path}]', 'Value: {value_string}']

FORMAT_STRING_SHORT_PIECES = ['{value_string}']

SOURCE_LONG = 'Registry Key: Microsoft Office MRU'

SOURCE_SHORT = 'REG'

plaso.formatters.olecf module

The OLE Compound File (OLECF) event formatters.

class plaso.formatters.olecf.OLECFDestListEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF DestList stream event.

DATA_TYPE = 'olecf:dest_list:entry'

FORMAT_STRING_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Hostname: {hostname}', 'Path: {path}', 'Droid volume identifier: {droid_volume_identifier}', 'Droid file identifier: {droid_file_identifier}', 'Birth droid volume identifier: {birth_droid_volume_identifier}', 'Birth droid file identifier: {birth_droid_file_identifier}']

FORMAT_STRING_SHORT_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Path: {path}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

class plaso.formatters.olecf.OLECFDocumentSummaryInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Document Summary Info property set stream event.

DATA_TYPE = 'olecf:document_summary_info'

FORMAT_STRING_PIECES = ['Number of bytes: {number_of_bytes}', 'Number of lines: {number_of_lines}', 'Number of paragraphs: {number_of_paragraphs}', 'Number of slides: {number_of_slides}', 'Number of notes: {number_of_notes}', 'Number of hidden slides: {number_of_hidden_slides}', 'Number of multi-media clips: {number_of_clips}', 'Company: {company}', 'Manager: {manager}', 'Shared document: {shared_document}', 'Application version: {application_version}', 'Content type: {content_type}', 'Content status: {content_status}', 'Language: {language}', 'Document version: {document_version}']

FORMAT_STRING_SHORT_PIECES = ['Company: {company}']

SOURCE_LONG = 'OLECF Document Summary Info'

SOURCE_SHORT = 'OLECF'

class plaso.formatters.olecf.OLECFItemFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for an OLECF item event.

DATA_TYPE = 'olecf:item'

FORMAT_STRING = 'Name: {name}'

FORMAT_STRING_SHORT = 'Name: {name}'

SOURCE_LONG = 'OLECF Item'

SOURCE_SHORT = 'OLECF'

class plaso.formatters.olecf.OLECFSummaryInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Summary Info property set stream event.

DATA_TYPE = 'olecf:summary_info'

FORMAT_STRING_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Keywords: {keywords}', 'Comments: {comments}', 'Template: {template}', 'Revision number: {revision_number}', 'Last saved by: {last_saved_by}', 'Total edit time: {total_edit_time}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Application: {application}', 'Security: {security}']

FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Revision number: {revision_number}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'OLECF Summary Info'

SOURCE_SHORT = 'OLECF'

plaso.formatters.opera module

The Opera history event formatters.

class plaso.formatters.opera.OperaGlobalHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera global history event.

DATA_TYPE = 'opera:history:entry'

FORMAT_STRING_PIECES = ['{url}', '({title})', '[{description}]']

SOURCE_LONG = 'Opera Browser History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.opera.OperaTypedHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera typed history event.

DATA_TYPE = 'opera:history:typed_entry'

FORMAT_STRING_PIECES = ['{url}', '({entry_selection})']

SOURCE_LONG = 'Opera Browser History'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.oxml module

The OpenXML event formatter.

class plaso.formatters.oxml.OpenXMLParserFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OXML event.

DATA_TYPE = 'metadata:openxml'

FORMAT_STRING_PIECES = ['Creating App: {creating_app}', 'App version: {app_version}', 'Title: {title}', 'Subject: {subject}', 'Last saved by: {last_saved_by}', 'Author: {author}', 'Total edit time (secs): {total_edit_time}', 'Keywords: {keywords}', 'Comments: {comments}', 'Revision number: {revision_number}', 'Template: {template}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Number of characters with spaces: {number_of_characters_with_spaces}', 'Number of lines: {number_of_lines}', 'Company: {company}', 'Manager: {manager}', 'Shared: {shared}', 'Security: {security}', 'Hyperlinks changed: {hyperlinks_changed}', 'Links up to date: {links_up_to_date}', 'Scale crop: {scale_crop}', 'Digital signature: {dig_sig}', 'Slides: {slides}', 'Hidden slides: {hidden_slides}', 'Presentation format: {presentation_format}', 'MM clips: {mm_clips}', 'Notes: {notes}']

FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}']

SOURCE_LONG = 'Open XML Metadata'

SOURCE_SHORT = 'META'

plaso.formatters.pe module

The PE event formatter.

class plaso.formatters.pe.PECompilationFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE compilation event.

DATA_TYPE = 'pe:compilation:compilation_time'

SOURCE_LONG = 'PE Compilation time'

class plaso.formatters.pe.PEDelayImportFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE delay import section event.

DATA_TYPE = 'pe:delay_import:import_time'

FORMAT_STRING_PIECES = ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']

FORMAT_STRING_SHORT_PIECES = ['{dll_name}']

SOURCE_LONG = 'PE Delay Import Time'

class plaso.formatters.pe.PEEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Parent class for PE event formatters.

DATA_TYPE = 'pe'

FORMAT_STRING_PIECES = ['PE Type: {pe_type}', 'Import hash: {imphash}']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['pe_type']

SOURCE_LONG = 'PE Event'

SOURCE_SHORT = 'PE'

class plaso.formatters.pe.PEImportFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE import section event.

DATA_TYPE = 'pe:import:import_time'

FORMAT_STRING_PIECES = ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']

FORMAT_STRING_SHORT_PIECES = ['{dll_name}']

SOURCE_LONG = 'PE Import Time'

class plaso.formatters.pe.PELoadConfigModificationEvent

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE load configuration table event.

DATA_TYPE = 'pe:load_config:modification_time'

SOURCE_LONG = 'PE Load Configuration Table Time'

class plaso.formatters.pe.PEResourceCreationFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE resource creation event.

DATA_TYPE = 'pe:resource:creation_time'

SOURCE_LONG = 'PE Resource Creation Time'

plaso.formatters.plist module

The plist event formatter.

class plaso.formatters.plist.PlistFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a plist key event.

DATA_TYPE = 'plist:key'

FORMAT_STRING_PIECES = ['{root}/', '{key}', ' {desc}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'Plist Entry'

SOURCE_SHORT = 'PLIST'

plaso.formatters.pls_recall module

The PL/SQL Recall event formatter.

class plaso.formatters.pls_recall.PlsRecallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a PL/SQL Recall file container event.

DATA_TYPE = 'PLSRecall:event'

FORMAT_STRING_PIECES = ['Sequence number: {sequence_number}', 'Username: {username}', 'Database name: {database_name}', 'Query: {query}']

FORMAT_STRING_SHORT_PIECES = ['{sequence_number}', '{username}', '{database_name}', '{query}']

SOURCE_LONG = 'PL/SQL Developer Recall file'

SOURCE_SHORT = 'PLSRecall'

plaso.formatters.popcontest module

The Popularity Contest event formatters.

class plaso.formatters.popcontest.PopularityContestLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Log event.

DATA_TYPE = 'popularity_contest:log:event'

FORMAT_STRING_PIECES = ['mru [{mru}]', 'package [{package}]', 'tag [{record_tag}]']

FORMAT_STRING_SHORT_PIECES = ['{mru}']

SOURCE_LONG = 'Popularity Contest Log'

SOURCE_SHORT = 'LOG'

class plaso.formatters.popcontest.PopularityContestSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Session information event.

DATA_TYPE = 'popularity_contest:session:event'

FORMAT_STRING_PIECES = ['Session {session}', '{status}', 'ID {hostid}', '[{details}]']

FORMAT_STRING_SHORT_PIECES = ['Session {session}', '{status}']

SOURCE_LONG = 'Popularity Contest Session'

SOURCE_SHORT = 'LOG'

plaso.formatters.recycler module

The Windows Recycler/Recycle Bin formatter.

class plaso.formatters.recycler.WinRecyclerFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Recycler/Recycle Bin file event.

DATA_TYPE = 'windows:metadata:deleted_item'

FORMAT_STRING_PIECES = ['DC{record_index} ->', '{original_filename}', '[{short_filename}]', '(from drive: {drive_letter})']

FORMAT_STRING_SHORT_PIECES = ['Deleted file: {original_filename}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Recycle Bin'

SOURCE_SHORT = 'RECBIN'

plaso.formatters.safari module

The Safari history event formatter.

class plaso.formatters.safari.SafariHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event.

DATA_TYPE = 'safari:history:visit'

FORMAT_STRING_PIECES = ['Visited: {url}', '({title}', '- {display_title}', ')', 'Visit Count: {visit_count}']

SOURCE_LONG = 'Safari History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.safari.SafariHistoryFormatterSqlite

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event from Sqlite History.db

DATA_TYPE = 'safari:history:visit_sqlite'

FORMAT_STRING_PIECES = ['URL: {url}', 'Title: ({title})', '[count: {visit_count}]', 'http_non_get: {was_http_non_get}']

SOURCE_LONG = 'Safari History'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.safari_cookies module

The Safari Binary cookie event formatter.

class plaso.formatters.safari_cookies.SafariCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari Binary Cookie file entry event.

DATA_TYPE = 'safari:cookie:entry'

FORMAT_STRING_PIECES = ['{url}', '<{path}>', '({cookie_name})', 'Flags: {flags}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Safari Cookies'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.sam_users module

The SAM users Windows Registry event formatter.

class plaso.formatters.sam_users.SAMUsersWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SAM users Windows Registry event.

DATA_TYPE = 'windows:registry:sam_users'

FORMAT_STRING_PIECES = ['[{key_path}]', 'Username: {username}', 'Full name: {fullname}', 'Comments: {comments}', 'RID: {account_rid}', 'Login count: {login_count}']

FORMAT_STRING_SHORT_PIECES = ['{username}', 'RID: {account_rid}', 'Login count: {login_count}']

SOURCE_LONG = 'Registry Key: User Account Information'

SOURCE_SHORT = 'REG'

plaso.formatters.santa module

Santa log file event formatter.

class plaso.formatters.santa.SantaDiskMountsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa disk mount event.

DATA_TYPE = 'santa:diskmount'

FORMAT_STRING_PIECES = ['Santa {action}', 'on ({mount})', 'serial: ({serial})', 'for ({dmg_path})']

FORMAT_STRING_SHORT_PIECES = ['{action}', '{volume}']

SOURCE_LONG = 'Santa disk mount'

SOURCE_SHORT = 'LOG'

class plaso.formatters.santa.SantaExecutionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa execution event.

DATA_TYPE = 'santa:execution'

FORMAT_STRING_PIECES = ['Santa {decision}', 'process: {process_path}', 'hash: {process_hash}']

FORMAT_STRING_SHORT_PIECES = ['{decision}', 'process: {process_path}']

SOURCE_LONG = 'Santa Execution'

SOURCE_SHORT = 'LOG'

class plaso.formatters.santa.SantaFileSystemFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa file system event.

DATA_TYPE = 'santa:file_system_event'

FORMAT_STRING_PIECES = ['Santa {action} event', '{file_path}', 'by process: {process_path}']

FORMAT_STRING_SHORT_PIECES = ['File {action}', 'on: {file_path}']

SOURCE_LONG = 'Santa FSEvent'

SOURCE_SHORT = 'LOG'

plaso.formatters.sccm module

The SCCM log formatter.

class plaso.formatters.sccm.SCCMEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for SCCM event formatter.

DATA_TYPE = 'software_management:sccm:log'

FORMAT_STRING_PIECES = ['{component}', '{text}']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['{text}']

SOURCE_LONG = 'SCCM Event'

SOURCE_SHORT = 'LOG'

plaso.formatters.selinux module

The selinux event formatter.

class plaso.formatters.selinux.SELinuxFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a selinux log file event.

DATA_TYPE = 'selinux:line'

FORMAT_STRING_PIECES = ['[', 'audit_type: {audit_type}', ', pid: {pid}', ']', ' {body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'Audit log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.shell_items module

The shell item event formatter.

class plaso.formatters.shell_items.ShellItemFileEntryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shell item file entry event.

DATA_TYPE = 'windows:shell_item:file_entry'

FORMAT_STRING_PIECES = ['Name: {name}', 'Long name: {long_name}', 'Localized name: {localized_name}', 'NTFS file reference: {file_reference}', 'Shell item path: {shell_item_path}', 'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = ['Name: {file_entry_name}', 'NTFS file reference: {file_reference}', 'Origin: {origin}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'File entry shell item'

SOURCE_SHORT = 'FILE'

plaso.formatters.shutdown module

The shutdown Windows Registry event formatter.

class plaso.formatters.shutdown.ShutdownWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shutdown Windows Registry event.

DATA_TYPE = 'windows:registry:shutdown'

FORMAT_STRING_PIECES = ['[{key_path}]', 'Description: {value_name}']

FORMAT_STRING_SHORT_PIECES = ['{value_name}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Registry Key Shutdown Entry'

SOURCE_SHORT = 'REG'

plaso.formatters.skydrivelog module

The SkyDrive log event formatter.

class plaso.formatters.skydrivelog.SkyDriveLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive log file event.

DATA_TYPE = 'skydrive:log:line'

FORMAT_STRING_PIECES = ['[{module}', '{source_code}', '{log_level}]', '{detail}']

FORMAT_STRING_SHORT_PIECES = ['{detail}']

SOURCE_LONG = 'SkyDrive Log File'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skydrivelog.SkyDriveOldLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive old log file event.

DATA_TYPE = 'skydrive:log:old:line'

FORMAT_STRING_PIECES = ['[{source_code}]', '({log_level})', '{text}']

FORMAT_STRING_SHORT_PIECES = ['{text}']

SOURCE_LONG = 'SkyDrive Log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.skype module

The Skype main database event formatter.

class plaso.formatters.skype.SkypeAccountFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype account event.

DATA_TYPE = 'skype:event:account'

FORMAT_STRING_PIECES = ['{username}', '[{email}]', 'Country: {country}']

SOURCE_LONG = 'Skype Account'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skype.SkypeCallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype call event.

DATA_TYPE = 'skype:event:call'

FORMAT_STRING_PIECES = ['From: {src_call}', 'To: {dst_call}', '[{call_type}]']

SOURCE_LONG = 'Skype Call'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skype.SkypeChatFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype chat message event.

DATA_TYPE = 'skype:event:chat'

FORMAT_STRING_PIECES = ['From: {from_account}', 'To: {to_account}', '[{title}]', 'Message: [{text}]']

FORMAT_STRING_SHORT_PIECES = ['From: {from_account}', 'To: {to_account}']

SOURCE_LONG = 'Skype Chat MSG'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skype.SkypeSMSFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype SMS event.

DATA_TYPE = 'skype:event:sms'

FORMAT_STRING_PIECES = ['To: {number}', '[{text}]']

SOURCE_LONG = 'Skype SMS'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skype.SkypeTransferFileFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype transfer file event.

DATA_TYPE = 'skype:event:transferfile'

FORMAT_STRING_PIECES = ['Source: {source}', 'Destination: {destination}', 'File: {transferred_filename}', '[{action_type}]']

SOURCE_LONG = 'Skype Transfer Files'

SOURCE_SHORT = 'LOG'

plaso.formatters.sophos_av module

The Sophos Anti-Virus log (SAV.txt) file event formatter.

class plaso.formatters.sophos_av.SophosAVLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Sophos Anti-Virus log (SAV.txt) event data.

DATA_TYPE = 'sophos:av:log'

FORMAT_STRING_PIECES = ['{text}']

SOURCE_LONG = 'Sophos Anti-Virus log'

SOURCE_SHORT = 'LOG'

plaso.formatters.srum module

The System Resource Usage Monitor (SRUM) ESE database event formatters.

class plaso.formatters.srum.SRUMApplicationResourceUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM application resource usage event.

DATA_TYPE = 'windows:srum:application_usage'

FORMAT_STRING_PIECES = ['Application: {application}']

FORMAT_STRING_SHORT_PIECES = ['{application}']

class plaso.formatters.srum.SRUMNetworkConnectivityUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network connectivity usage event.

DATA_TYPE = 'windows:srum:network_connectivity'

FORMAT_STRING_PIECES = ['Application: {application}']

FORMAT_STRING_SHORT_PIECES = ['{application}']

class plaso.formatters.srum.SRUMNetworkDataUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network data usage event.

DATA_TYPE = 'windows:srum:network_usage'

FORMAT_STRING_PIECES = ['Application: {application}', 'Bytes received: {bytes_received}', 'Bytes sent: {bytes_sent}', 'Interface LUID: {interface_luid}', 'User identifier: {user_identifier}']

FORMAT_STRING_SHORT_PIECES = ['{application}']

plaso.formatters.ssh module

The syslog SSH file event formatter.

class plaso.formatters.ssh.SSHFailedConnectionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH failed connection event.

DATA_TYPE = 'syslog:ssh:failed_connection'

FORMAT_STRING_PIECES = ['Unsuccessful connection of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = ''

FORMAT_STRING_SHORT = '{body}'

SOURCE_LONG = 'SSH log'

SOURCE_SHORT = 'LOG'

class plaso.formatters.ssh.SSHLoginEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH successful login event.

DATA_TYPE = 'syslog:ssh:login'

FORMAT_STRING_PIECES = ['Successful login of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = ''

FORMAT_STRING_SHORT = '{body}'

SOURCE_LONG = 'SSH log'

SOURCE_SHORT = 'LOG'

class plaso.formatters.ssh.SSHOpenedConnectionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH opened connection event.

DATA_TYPE = 'syslog:ssh:opened_connection'

FORMAT_STRING_PIECES = ['Connection opened {address}:', '{port}', 'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = ''

FORMAT_STRING_SHORT = '{body}'

SOURCE_LONG = 'SSH log'

SOURCE_SHORT = 'LOG'

plaso.formatters.symantec module

The Symantec AV log file event formatter.

class plaso.formatters.symantec.SymantecAVFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Symantec AV log file event.

ACTION_0_NAMES = {'1': 'Quarantined', '10': 'Renamed backup file', '11': 'Undo action in Quarantine View', '12': 'Write protected or lack of permissions - Unable to act on file', '13': 'Backed up file', '2': 'Renamed', '3': 'Deleted', '4': 'Left alone', '5': 'Cleaned', '6': 'Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)', '7': 'Saved file as...', '8': 'Sent to Intel (AMS)', '9': 'Moved to backup location'}

ACTION_1_2_NAMES = {'1': 'Quarantine infected file', '2': 'Rename infected file', '3': 'Delete infected file', '4': 'Leave alone (log only)', '5': 'Clean virus from file', '6': 'Clean or delete macros'}

CATEGORY_NAMES = {'1': 'GL_CAT_INFECTION', '2': 'GL_CAT_SUMMARY', '3': 'GL_CAT_PATTERN', '4': 'GL_CAT_SECURITY'}

DATA_TYPE = 'av:symantec:scanlog'

EVENT_NAMES = {'1': 'GL_EVENT_IS_ALERT', '10': 'GL_EVENT_CHECKSUM', '11': 'GL_EVENT_TRAP', '12': 'GL_EVENT_CONFIG_CHANGE', '13': 'GL_EVENT_SHUTDOWN', '14': 'GL_EVENT_STARTUP', '16': 'GL_EVENT_PATTERN_DOWNLOAD', '17': 'GL_EVENT_TOO_MANY_VIRUSES', '18': 'GL_EVENT_FWD_TO_QSERVER', '19': 'GL_EVENT_SCANDLVR', '2': 'GL_EVENT_SCAN_STOP', '20': 'GL_EVENT_BACKUP', '21': 'GL_EVENT_SCAN_ABORT', '22': 'GL_EVENT_RTS_LOAD_ERROR', '23': 'GL_EVENT_RTS_LOAD', '24': 'GL_EVENT_RTS_UNLOAD', '25': 'GL_EVENT_REMOVE_CLIENT', '26': 'GL_EVENT_SCAN_DELAYED', '27': 'GL_EVENT_SCAN_RESTART', '28': 'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER', '29': 'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER', '3': 'GL_EVENT_SCAN_START', '30': 'GL_EVENT_LICENSE_WARNING', '31': 'GL_EVENT_LICENSE_ERROR', '32': 'GL_EVENT_LICENSE_GRACE', '33': 'GL_EVENT_UNAUTHORIZED_COMM', '34': 'GL_EVENT_LOG_FWD_THRD_ERR', '35': 'GL_EVENT_LICENSE_INSTALLED', '36': 'GL_EVENT_LICENSE_ALLOCATED', '37': 'GL_EVENT_LICENSE_OK', '38': 'GL_EVENT_LICENSE_DEALLOCATED', '39': 'GL_EVENT_BAD_DEFS_ROLLBACK', '4': 'GL_EVENT_PATTERN_UPDATE', '40': 'GL_EVENT_BAD_DEFS_UNPROTECTED', '41': 'GL_EVENT_SAV_PROVIDER_PARSING_ERROR', '42': 'GL_EVENT_RTS_ERROR', '43': 'GL_EVENT_COMPLIANCE_FAIL', '44': 'GL_EVENT_COMPLIANCE_SUCCESS', '45': 'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION', '46': 'GL_EVENT_ANOMALY_START', '47': 'GL_EVENT_DETECTION_ACTION_TAKEN', '48': 'GL_EVENT_REMEDIATION_ACTION_PENDING', '49': 'GL_EVENT_REMEDIATION_ACTION_FAILED', '5': 'GL_EVENT_INFECTION', '50': 'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL', '51': 'GL_EVENT_ANOMALY_FINISH', '52': 'GL_EVENT_COMMS_LOGIN_FAILED', '53': 'GL_EVENT_COMMS_LOGIN_SUCCESS', '54': 'GL_EVENT_COMMS_UNAUTHORIZED_COMM', '55': 'GL_EVENT_CLIENT_INSTALL_AV', '56': 'GL_EVENT_CLIENT_INSTALL_FW', '57': 'GL_EVENT_CLIENT_UNINSTALL', '58': 'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK', '59': 'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE', '6': 'GL_EVENT_FILE_NOT_OPEN', '60': 'GL_EVENT_COMMS_SERVER_CERT_ISSUE', '61': 'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE', '62': 'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED', '63': 'GL_EVENT_CLIENT_CHECKIN', '64': 'GL_EVENT_CLIENT_NO_CHECKIN', '65': 'GL_EVENT_SCAN_SUSPENDED', '66': 'GL_EVENT_SCAN_RESUMED', '67': 'GL_EVENT_SCAN_DURATION_INSUFFICIENT', '68': 'GL_EVENT_CLIENT_MOVE', '69': 'GL_EVENT_SCAN_FAILED_ENHANCED', '7': 'GL_EVENT_LOAD_PATTERN', '70': 'GL_EVENT_MAX_event_name', '71': 'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED', '72': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_START', '73': 'GL_EVENT_LOAD_ERROR_COH', '74': 'GL_EVENT_LOAD_ERROR_SYKNAPPS', '75': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH', '76': 'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS', '77': 'GL_EVENT_HEUR_THREAT_NOW_KNOWN', '8': 'GL_STD_MESSAGE_INFO', '9': 'GL_STD_MESSAGE_ERROR'}

FORMAT_STRING_PIECES = ['Event Name: {event_map}', 'Category Name: {category_map}', 'Malware Name: {virus}', 'Malware Path: {file}', 'Action0: {action0_map}', 'Action1: {action1_map}', 'Action2: {action2_map}', 'Description: {description}', 'Scan ID: {scanid}', 'Event Data: {event_data}', 'Remote Machine: {remote_machine}', 'Remote IP: {remote_machine_ip}']

FORMAT_STRING_SEPARATOR = '; '

FORMAT_STRING_SHORT_PIECES = ['{file}', '{virus}', '{action0_map}', '{action1_map}', '{action2_map}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Symantec AV Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.syslog module

The syslog file event formatter.

class plaso.formatters.syslog.SyslogCommentFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog comment

DATA_TYPE = 'syslog:comment'

FORMAT_STRING_PIECES = ['{body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'Log File'

SOURCE_SHORT = 'LOG'

class plaso.formatters.syslog.SyslogLineFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog line event.

DATA_TYPE = 'syslog:line'

FORMAT_STRING_PIECES = ['{severity} ', '[', '{reporter}', ', pid: {pid}', '] {body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'Log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.systemd_journal module

The Systemd journal file event formatter.

class plaso.formatters.systemd_journal.SystemdJournalDirtyEventFormatter

Bases: plaso.formatters.systemd_journal.SystemdJournalEventFormatter

Formatter for a Systemd journal dirty event.

DATA_TYPE = 'systemd:journal:dirty'

SOURCE_LONG = 'systemd-journal-dirty'

class plaso.formatters.systemd_journal.SystemdJournalEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Systemd journal event.

DATA_TYPE = 'systemd:journal'

FORMAT_STRING_PIECES = ['{hostname} ', '[', '{reporter}', ', pid: {pid}', '] {body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'systemd-journal'

SOURCE_SHORT = 'LOG'

plaso.formatters.tango_android module

Tango on Android databases formatter.

class plaso.formatters.tango_android.TangoAndroidContactFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android contact event formatter.

DATA_TYPE = 'tango:android:contact'

FORMAT_STRING_PIECES = ['{first_name}', '{last_name}', '{gender}', 'birthday: {birthday}', 'Status: {status}', 'Friend: {is_friend}', 'Request type: {friend_request_type}', 'Request message: {friend_request_message}']

FORMAT_STRING_SHORT_PIECES = ['{first_name}', '{last_name}', 'Status: {status}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple[str, str]

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Contact'

SOURCE_SHORT = 'Tango Android'

class plaso.formatters.tango_android.TangoAndroidConversationFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android conversation event formatter.

DATA_TYPE = 'tango:android:conversation'

FORMAT_STRING_PIECES = ['Conversation ({conversation_identifier})']

FORMAT_STRING_SHORT_PIECES = ['Conversation ({conversation_identifier})']

SOURCE_LONG = 'Tango Android Conversation'

SOURCE_SHORT = 'Tango Android'

class plaso.formatters.tango_android.TangoAndroidMessageFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android message event formatter.

DATA_TYPE = 'tango:android:message'

FORMAT_STRING_PIECES = ['{direction}', 'Message ({message_identifier})']

FORMAT_STRING_SHORT_PIECES = ['{direction}', 'Message ({message_identifier})']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple[str, str]

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Message'

SOURCE_SHORT = 'Tango Android'

plaso.formatters.task_scheduler module

The Task Scheduler event formatter.

class plaso.formatters.task_scheduler.TaskCacheEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Task Scheduler Cache event.

DATA_TYPE = 'task_scheduler:task_cache:entry'

FORMAT_STRING_PIECES = ['Task: {task_name}', '[Identifier: {task_identifier}]']

FORMAT_STRING_SHORT_PIECES = ['Task: {task_name}']

SOURCE_LONG = 'Task Cache'

SOURCE_SHORT = 'REG'

plaso.formatters.text module

The text file event formatter.

class plaso.formatters.text.TextEntryFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a text file entry event.

DATA_TYPE = 'text:entry'

FORMAT_STRING = '{text}'

SOURCE_LONG = 'Text File'

SOURCE_SHORT = 'LOG'

plaso.formatters.trendmicroav module

The Trend Micro AV Logs file event formatter.

class plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:scan'

FORMAT_STRING_PIECES = ['Path: {path}', 'File name: {filename}', '{threat}', ': {action}', '({scan_type})']

FORMAT_STRING_SHORT_PIECES = ['{path}', '{filename}', '{action}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'

SOURCE_SHORT = 'LOG'

VALUE_FORMATTERS = {'action': <function OfficeScanVirusDetectionLogEventFormatter.<lambda> at 0x7f6c5313f9d8>, 'scan_type': <function OfficeScanVirusDetectionLogEventFormatter.<lambda> at 0x7f6c5313f840>}

class plaso.formatters.trendmicroav.OfficeScanWebReputationLogEventFormatter

Bases: plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:webrep'

FORMAT_STRING_PIECES = ['{url}', '{ip}', 'Group: {group_name}', '{group_code}', 'Mode: {block_mode}', 'Policy ID: {policy_identifier}', 'Credibility rating: {credibility_rating}', 'Credibility score: {credibility_score}', 'Threshold value: {threshold}', 'Accessed by: {application_name}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '{group_name}']

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'

SOURCE_SHORT = 'LOG'

VALUE_FORMATTERS = {'block_mode': <function OfficeScanWebReputationLogEventFormatter.<lambda> at 0x7f6c5313fae8>}

plaso.formatters.twitter_android module

Twitter on android database formatter.

class plaso.formatters.twitter_android.TwitterAndroidContactFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android contact event formatter.

DATA_TYPE = 'twitter:android:contact'

FORMAT_STRING_PIECES = ['Screen name: {username}', 'Profile picture URL: {image_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {web_url}', 'Number of followers: {followers}', 'Number of following: {friend}', 'Number of tweets: {statuses}']

FORMAT_STRING_SHORT_PIECES = ['Screen name: {username}', 'Description: {description}', 'URL: {web_url}']

SOURCE_LONG = 'Twitter Android Contacts'

SOURCE_SHORT = 'Twitter Android'

class plaso.formatters.twitter_android.TwitterAndroidSearchFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android search event formatter.

DATA_TYPE = 'twitter:android:search'

FORMAT_STRING_PIECES = ['Name: {name}', 'Query: {search_query}']

FORMAT_STRING_SHORT_PIECES = ['Query: {search_query}']

SOURCE_LONG = 'Twitter Android Search'

SOURCE_SHORT = 'Twitter Android'

class plaso.formatters.twitter_android.TwitterAndroidStatusFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android status event formatter.

DATA_TYPE = 'twitter:android:status'

FORMAT_STRING_PIECES = ['User: {username}', 'Status: {content}', 'Favorited: {favorited}', 'Retweeted: {retweeted}']

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'Status: {content}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter Android Status'

SOURCE_SHORT = 'Twitter Android'

plaso.formatters.twitter_ios module

Twitter on iOS 8+ database formatter.

class plaso.formatters.twitter_ios.TwitterIOSContactFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ contact event formatter.

DATA_TYPE = 'twitter:ios:contact'

FORMAT_STRING_PIECES = ['Screen name: {screen_name}', 'Profile picture URL: {profile_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {url}', 'Following: {following}', 'Number of followers: {followers_count}', 'Number of following: {following_count}']

FORMAT_STRING_SHORT_PIECES = ['Screen name: {screen_name}', 'Description: {description}', 'URL: {url}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter iOS Contacts'

SOURCE_SHORT = 'Twitter iOS'

class plaso.formatters.twitter_ios.TwitterIOSStatusFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ status event formatter.

DATA_TYPE = 'twitter:ios:status'

FORMAT_STRING_PIECES = ['Name: {name}', 'User Id: {user_id}', 'Message: {text}', 'Favorite: {favorited}', 'Retweet Count: {retweet_count}', 'Favorite Count: {favorite_count}']

FORMAT_STRING_SHORT_PIECES = ['Name: {name}', 'Message: {text}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter iOS Status'

SOURCE_SHORT = 'Twitter iOS'

plaso.formatters.userassist module

The UserAssist Windows Registry event formatter.

class plaso.formatters.userassist.UserAssistWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UserAssist Windows Registry event.

DATA_TYPE = 'windows:registry:userassist'

FORMAT_STRING_PIECES = ['[{key_path}]', 'UserAssist entry: {entry_index}', 'Value name: {value_name}', 'Count: {number_of_executions}', 'Application focus count: {application_focus_count}', 'Application focus duration: {application_focus_duration}']

FORMAT_STRING_SHORT_PIECES = ['{value_name}', 'Count: {number_of_executions}']

SOURCE_LONG = 'Registry Key: UserAssist'

SOURCE_SHORT = 'REG'

plaso.formatters.utmp module

The UTMP binary file event formatter.

class plaso.formatters.utmp.UtmpSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMP session event.

DATA_TYPE = 'linux:utmp:event'

FORMAT_STRING_PIECES = ['User: {username}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}', 'Status: {status}', 'IP Address: {ip_address}', 'Exit status: {exit_status}']

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'UTMP session'

SOURCE_SHORT = 'LOG'

plaso.formatters.utmpx module

The UTMPX binary file event formatter.

class plaso.formatters.utmpx.UtmpxSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMPX session event.

DATA_TYPE = 'mac:utmpx:event'

FORMAT_STRING_PIECES = ['User: {username}', 'Status: {status}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}']

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'UTMPX session'

SOURCE_SHORT = 'LOG'

plaso.formatters.windows module

The Windows event formatter.

class plaso.formatters.windows.WindowsDistributedLinkTrackingCreationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows distributed link creation event.

DATA_TYPE = 'windows:distributed_link_tracking:creation'

FORMAT_STRING_PIECES = ['{uuid}', 'MAC address: {mac_address}', 'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = ['{uuid}', 'Origin: {origin}']

SOURCE_LONG = 'System'

SOURCE_SHORT = 'LOG'

class plaso.formatters.windows.WindowsRegistryInstallationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows installation event.

DATA_TYPE = 'windows:registry:installation'

FORMAT_STRING_PIECES = ['{product_name}', '{version}', '{service_pack}', 'Owner: owner', 'Origin: {key_path}']

FORMAT_STRING_SHORT_PIECES = ['{product_name}', '{version}', '{service_pack}', 'Origin: {key_path}']

SOURCE_LONG = 'System'

SOURCE_SHORT = 'LOG'

class plaso.formatters.windows.WindowsRegistryListEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows list event e.g. MRU or Jump list.

DATA_TYPE = 'windows:registry:list'

FORMAT_STRING_PIECES = ['Key: {key_path}', 'Value: {value_name}', 'List: {list_name}', '[{list_values}]']

SOURCE_LONG = 'System'

SOURCE_SHORT = 'LOG'

class plaso.formatters.windows.WindowsRegistryNetworkEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows network event.

DATA_TYPE = 'windows:registry:network'

FORMAT_STRING_PIECES = ['SSID: {ssid}', 'Description: {description}', 'Connection Type: {connection_type}', 'Default Gateway Mac: {default_gateway_mac}', 'DNS Suffix: {dns_suffix}']

SOURCE_LONG = 'System: Network Connection'

SOURCE_SHORT = 'LOG'

class plaso.formatters.windows.WindowsVolumeCreationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows volume creation event.

DATA_TYPE = 'windows:volume:creation'

FORMAT_STRING_PIECES = ['{device_path}', 'Serial number: 0x{serial_number:08X}', 'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = ['{device_path}', 'Origin: {origin}']

SOURCE_LONG = 'System'

SOURCE_SHORT = 'LOG'

plaso.formatters.windows_timeline module

The Windows Timeline event formatter.

class plaso.formatters.windows_timeline.WindowsTimelineGenericEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for generic Windows Timeline events.

DATA_TYPE = 'windows:timeline:generic'

FORMAT_STRING_PIECES = ['Application Display Name: {application_display_name}', 'Package Identifier: {package_identifier}', 'Description: {description}']

FORMAT_STRING_SHORT_PIECES = ['{package_identifier}']

SOURCE_LONG = 'Windows Timeline - Generic'

SOURCE_SHORT = 'Windows Timeline'

class plaso.formatters.windows_timeline.WindowsTimelineUserEngagedEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for User Engaged Windows Timeline events

DATA_TYPE = 'windows:timeline:user_engaged'

FORMAT_STRING_PIECES = ['Package Identifier: {package_identifier}', 'Active Duration (seconds): {active_duration_seconds}', 'Reporting App: {reporting_app}']

FORMAT_STRING_SHORT_PIECES = ['{package_identifier}']

SOURCE_LONG = 'Windows Timeline - User Engaged'

SOURCE_SHORT = 'Windows Timeline'

plaso.formatters.winevt module

The Windows EventLog (EVT) file event formatter.

class plaso.formatters.winevt.WinEVTFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows EventLog (EVT) record event.

DATA_TYPE = 'windows:evt:record'

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Severity: {severity}', 'Record Number: {record_number}', 'Event Type: {event_type}', 'Event Category: {event_category}']

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']

GetEventTypeString(event_type)

Retrieves a string representation of the event type.

Parameters:event_type (int) – event type. Returns:description of the event type. Return type:str

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

GetSeverityString(severity)

Retrieves a string representation of the severity.

Parameters:severity (int) – severity. Returns:description of the event severity. Return type:str

SOURCE_LONG = 'WinEVT'

SOURCE_SHORT = 'EVT'

plaso.formatters.winevt_rc module

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFile

Bases: object

Class that defines a sqlite3 database file.

Close()

Closes the database file.

Raises:RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)

Retrieves values from a table.

Parameters:

• table_names (list[str]) – table names.
• column_names (list[str]) – column names.
• condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields:

sqlite3.row – row.

Raises:

RuntimeError – if the database is not opened.

HasTable(table_name)

Determines if a specific table exists.

Parameters:table_name (str) – table name. Returns:True if the table exists. Return type:bool Raises:RuntimeError – if the database is not opened.

Open(filename, read_only=False)

Opens the database file.

Parameters:

• filename (str) – filename of the database.
• read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns:

True if successful.

Return type:

bool

Raises:

RuntimeError – if the database is already opened.

class plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Bases: object

Class to represent a sqlite3 database reader.

Close()

Closes the database reader object.

Open(filename)

Opens the database reader object.

Parameters:filename (str) – filename of the database. Returns:True if successful. Return type:bool

class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader

Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)

Retrieves a specific message for a specific Event Log source.

Parameters:

• log_source (str) – Event Log source.
• lcid (int) – language code identifier (LCID).
• message_identifier (int) – message identifier.

Returns:

message string or None if not available.

Return type:

str

GetMetadataAttribute(attribute_name)

Retrieves the metadata attribute.

Parameters:attribute_name (str) – name of the metadata attribute. Returns:the metadata attribute or None. Return type:str Raises:RuntimeError – if more than one value is found in the database.

Open(filename)

Opens the database reader object.

Parameters:filename (str) – filename of the database. Returns:True if successful. Return type:bool Raises:RuntimeError – if the version or string format of the database is not supported.

plaso.formatters.winevtx module

The Windows XML EventLog (EVTX) file event formatter.

class plaso.formatters.winevtx.WinEVTXFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows XML EventLog (EVTX) record event.

DATA_TYPE = 'windows:evtx:record'

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Record Number: {record_number}', 'Event Level: {event_level}']

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'WinEVTX'

SOURCE_SHORT = 'EVT'

plaso.formatters.winfirewall module

The Windows firewall log file event formatter.

class plaso.formatters.winfirewall.WinFirewallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows firewall log entry event.

DATA_TYPE = 'windows:firewall:log_entry'

FORMAT_STRING_PIECES = ['{action}', '[', '{protocol}', '{path}', ']', 'From: {source_ip}', ':{source_port}', '>', '{dest_ip}', ':{dest_port}', 'Size (bytes): {size}', 'Flags [{flags}]', 'TCP Seq Number: {tcp_seq}', 'TCP ACK Number: {tcp_ack}', 'TCP Window Size (bytes): {tcp_win}', 'ICMP type: {icmp_type}', 'ICMP code: {icmp_code}', 'Additional info: {info}']

FORMAT_STRING_SHORT_PIECES = ['{action}', '[{protocol}]', '{source_ip}', ': {source_port}', '>', '{dest_ip}', ': {dest_port}']

SOURCE_LONG = 'Windows Firewall Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.winjob module

The Windows Scheduled Task (job) event formatter.

class plaso.formatters.winjob.WinJobFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Scheduled Task (job) event.

DATA_TYPE = 'windows:tasks:job'

FORMAT_STRING_PIECES = ['Application: {application}', '{parameters}', 'Scheduled by: {username}', 'Working directory: {working_directory}', 'Trigger type: {trigger_type}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Scheduled Task Job'

SOURCE_SHORT = 'JOB'

plaso.formatters.winlnk module

The Windows Shortcut (LNK) event formatter.

class plaso.formatters.winlnk.WinLnkLinkFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Shortcut (LNK) link event.

DATA_TYPE = 'windows:lnk:link'

FORMAT_STRING_PIECES = ['[{description}]', 'File size: {file_size}', 'File attribute flags: 0x{file_attribute_flags:08x}', 'Drive type: {drive_type}', 'Drive serial number: 0x{drive_serial_number:08x}', 'Volume label: {volume_label}', 'Local path: {local_path}', 'Network path: {network_path}', 'cmd arguments: {command_line_arguments}', 'env location: {env_var_location}', 'Relative path: {relative_path}', 'Working dir: {working_directory}', 'Icon location: {icon_location}', 'Link target: {link_target}']

FORMAT_STRING_SHORT_PIECES = ['[{description}]', '{linked_path}', '{command_line_arguments}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Shortcut'

SOURCE_SHORT = 'LNK'

plaso.formatters.winprefetch module

The Windows Prefetch event formatter.

class plaso.formatters.winprefetch.WinPrefetchExecutionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Prefetch execution event.

DATA_TYPE = 'windows:prefetch:execution'

FORMAT_STRING_PIECES = ['Prefetch', '[{executable}] was executed -', 'run count {run_count}', 'path: {path}', 'hash: 0x{prefetch_hash:08X}', '{volumes_string}']

FORMAT_STRING_SHORT_PIECES = ['{executable} was run', '{run_count} time(s)']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'WinPrefetch'

SOURCE_SHORT = 'LOG'

plaso.formatters.winreg module

The Windows Registry key or value event formatter.

class plaso.formatters.winreg.WinRegistryGenericFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Registry key or value event.

DATA_TYPE = 'windows:registry:key_value'

FORMAT_STRING = '[{key_path}] {text}'

FORMAT_STRING_ALTERNATIVE = '{text}'

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

GetSources(event)

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event. Returns:short and long source string. Return type:tuple(str, str) Raises:WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Registry Key'

SOURCE_SHORT = 'REG'

plaso.formatters.winregservice module

The Windows services event formatter.

The Windows services are derived from Windows Registry files.

class plaso.formatters.winregservice.WinRegistryServiceFormatter

Bases: plaso.formatters.winreg.WinRegistryGenericFormatter

Formatter for a Windows service event.

DATA_TYPE = 'windows:registry:service'

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

plaso.formatters.winrestore module

The Windows Restore Point (rp.log) file event formatter.

class plaso.formatters.winrestore.RestorePointInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Windows Restore Point information event.

DATA_TYPE = 'windows:restore_point:info'

FORMAT_STRING_PIECES = ['{description}', 'Event type: {restore_point_event_type}', 'Restore point type: {restore_point_type}']

FORMAT_STRING_SHORT_PIECES = ['{description}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Restore Point'

SOURCE_SHORT = 'RP'

plaso.formatters.xchatlog module

The XChat log file event formatter.

class plaso.formatters.xchatlog.XChatLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat log file entry event.

DATA_TYPE = 'xchat:log:line'

FORMAT_STRING_PIECES = ['[nickname: {nickname}]', '{text}']

SOURCE_LONG = 'XChat Log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.xchatscrollback module

The XChat scrollback file event formatter.

class plaso.formatters.xchatscrollback.XChatScrollbackFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat scrollback file entry event.

DATA_TYPE = 'xchat:scrollback:line'

FORMAT_STRING_PIECES = ['[', 'nickname: {nickname}', ']', ' {text}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'XChat Scrollback File'

SOURCE_SHORT = 'LOG'

plaso.formatters.zeitgeist module

The Zeitgeist event formatter.

class plaso.formatters.zeitgeist.ZeitgeistFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Zeitgeist activity database event.

DATA_TYPE = 'zeitgeist:activity'

FORMAT_STRING = '{subject_uri}'

SOURCE_LONG = 'Zeitgeist activity log'

SOURCE_SHORT = 'LOG'

plaso.formatters.zsh_extended_history module

The Zsh extended_history formatter.

class plaso.formatters.zsh_extended_history.ZshExtendedHistoryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for the Zsh event formatter.

DATA_TYPE = 'shell:zsh:history'

FORMAT_STRING_PIECES = ['{command}', 'Time elapsed: {elapsed_seconds} seconds']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['{command}']

SOURCE_LONG = 'Zsh Extended History'

SOURCE_SHORT = 'HIST'

Module contents

This file contains an import statement for each formatter.

plaso.lib package

Submodules

plaso.lib.bufferlib module

Circular buffer for storing event objects.

class plaso.lib.bufferlib.CircularBuffer(size)

Bases: object

Class that defines a circular buffer for storing event objects.

Append(item)

Add an item to the list.

Parameters:item (object) – item.

Clear()

Removes all elements from the list.

Flush()

Returns a generator for all items and clear the buffer.

GetCurrent()

Retrieves the current item that index points to.

Returns:item. Return type:object

__iter__()

Return all elements from the list.

__len__()

Return the length (the fixed size).

size

int – number of elements in the buffer.

plaso.lib.decorators module

Function decorators.

plaso.lib.decorators.deprecated(function)

Decorator to mark functions or methods as deprecated.

plaso.lib.definitions module

The definitions.

plaso.lib.errors module

This file contains the error classes.

exception plaso.lib.errors.BadConfigObject

Bases: plaso.lib.errors.Error

Raised when the configuration object is of the wrong type.

exception plaso.lib.errors.BadConfigOption

Bases: plaso.lib.errors.Error

Raised when a faulty configuration option is encountered.

exception plaso.lib.errors.ConnectionError

Bases: plaso.lib.errors.Error

Class that defines errors encountered connecting to a service.

exception plaso.lib.errors.Error

Bases: Exception

Base error class.

exception plaso.lib.errors.HeapFull

Bases: plaso.lib.errors.Error

Class that implements a heap full exception.

exception plaso.lib.errors.InvalidEvent

Bases: plaso.lib.errors.Error

Error indicating an event is malformed.

exception plaso.lib.errors.MalformedQueryError

Bases: plaso.lib.errors.Error

Raised when an objectfilter query is malformed.

exception plaso.lib.errors.MaximumRecursionDepth

Bases: plaso.lib.errors.Error

Raised when the maximum recursion depth is reached.

exception plaso.lib.errors.NoFormatterFound

Bases: plaso.lib.errors.Error

Raised when no formatter is found for a particular event object.

exception plaso.lib.errors.ParseError

Bases: plaso.lib.errors.Error

Raised when a parse error occurred.

exception plaso.lib.errors.PreProcessFail

Bases: plaso.lib.errors.Error

Raised when a preprocess module is unable to gather information.

exception plaso.lib.errors.QueueAlreadyClosed

Bases: plaso.lib.errors.Error

Raised when an attempt is made to close a queue that is already closed.

exception plaso.lib.errors.QueueAlreadyStarted

Bases: plaso.lib.errors.Error

Raised when an attempt is made to start queue that is already started.

exception plaso.lib.errors.QueueClose

Bases: plaso.lib.errors.Error

Class that implements a queue close exception.

exception plaso.lib.errors.QueueEmpty

Bases: plaso.lib.errors.Error

Class that implements a queue empty exception.

exception plaso.lib.errors.QueueFull

Bases: plaso.lib.errors.Error

Class that implements a queue full exception.

exception plaso.lib.errors.SerializationError

Bases: plaso.lib.errors.Error

Class that defines serialization errors.

exception plaso.lib.errors.SourceScannerError

Bases: plaso.lib.errors.Error

Class that defines source scanner errors.

exception plaso.lib.errors.TaggingFileError

Bases: plaso.lib.errors.Error

Raised when the tagging file is invalid.

exception plaso.lib.errors.TimestampError

Bases: plaso.lib.errors.Error

Class that defines timestamp errors.

exception plaso.lib.errors.UnableToLoadRegistryHelper

Bases: plaso.lib.errors.Error

Raised when unable to load a Registry helper object.

exception plaso.lib.errors.UnableToParseFile

Bases: plaso.lib.errors.Error

Raised when a parser is not designed to parse a file.

exception plaso.lib.errors.UserAbort

Bases: plaso.lib.errors.Error

Class that defines an user initiated abort exception.

exception plaso.lib.errors.WrongBencodePlugin

Bases: plaso.lib.errors.Error

Error reporting wrong bencode plugin used.

exception plaso.lib.errors.WrongFormatter

Bases: plaso.lib.errors.Error

Raised when the formatter is not applicable for a particular event.

exception plaso.lib.errors.WrongPlistPlugin

Bases: plaso.lib.errors.Error

Error reporting wrong plist plugin used.

exception plaso.lib.errors.WrongPlugin

Bases: plaso.lib.errors.Error

Raised when the plugin is of the wrong type.

exception plaso.lib.errors.WrongQueueType

Bases: plaso.lib.errors.Error

Raised when an unsupported operation is attempted on a queue.

For example, attempting to Pop from a Push-only queue.

plaso.lib.lexer module

An LL(1) lexer. This lexer is very tolerant of errors and can resync.

This lexer is originally copied from the GRR project: https://code.google.com/p/grr

class plaso.lib.lexer.BinaryExpression(operator='', part=None)

Bases: plaso.lib.lexer.Expression

An expression which takes two other expressions.

AddOperands(lhs, rhs)

Add an operand.

Compile(filter_implementation)

Compile the binary expression into a filter object.

PrintTree(depth='')

Print the tree.

__str__()

Return a string representation of the binary expression.

class plaso.lib.lexer.Expression

Bases: object

A class representing an expression.

AddArg(arg)

Adds a new arg to this expression.

Parameters:arg – The argument to add (string). Returns:True if this arg is the last arg, False otherwise. Raises:ParseError – If there are too many args.

Compile(unused_filter_implementation)

Given a filter implementation, compile this expression.

PrintTree(depth='')

Print the tree.

SetAttribute(attribute)

Set the attribute.

SetOperator(operator)

Set the operator.

__str__()

Return a string representation of the expression.

args = None

attribute = None

number_of_args = 1

operator = None

class plaso.lib.lexer.IdentityExpression

Bases: plaso.lib.lexer.Expression

An Expression which always evaluates to True.

Compile(filter_implementation)

Compile the expression.

class plaso.lib.lexer.Lexer(data='')

Bases: object

A generic feed lexer.

Close()

A convenience function to force us to parse all the data.

Default(**kwarg)

The default callback handler.

Empty()

Returns a boolean indicating if the buffer is empty.

Error(message=None, weight=1)

Log an error down.

Parameters:

• message – optional error message.
• weight – optional error weight.

Feed(data)

Feed the buffer with data.

Parameters:data – data to be processed by the lexer.

NextToken()

Fetch the next token by trying to match any of the regexes in order.

PopState(**unused_kwargs)

Pop the previous state from the stack.

PushBack(string='', **unused_kwargs)

Push the match back on the stream.

Parameters:string – optional data.

PushState(**unused_kwargs)

Push the current state on the state stack.

tokens = []

class plaso.lib.lexer.SearchParser(data)

Bases: plaso.lib.lexer.Lexer

This parser can parse the mini query language and build an AST.

Examples of valid syntax:

filename contains “foo” and (size > 100k or date before “2011-10”) date between 2011 and 2010 files older than 1 year

BinaryOperator(string=None, **unused_kwargs)

Set the binary operator.

BracketClose(**unused_kwargs)

Close the bracket.

BracketOpen(**unused_kwargs)

Define an open bracket.

Error(message=None, unused_weight=1)

Raise an error message.

InsertArg(string='', **unused_kwargs)

Insert an arg to the current expression.

Parse()

Parse.

Reduce()

Reduce the token stack into an AST.

StoreAttribute(string='', **unused_kwargs)

Store the attribute.

StoreOperator(string='', **unused_kwargs)

Store the operator.

StringEscape(string, match, **unused_kwargs)

Escape backslashes found inside a string quote.

Backslashes followed by anything other than [‘“rnbt] will just be included in the string.

Parameters:

• string – The string that matched.
• match – the match object (instance of re.MatchObject). Where match.group(1) contains the escaped code.

StringFinish(**unused_kwargs)

Finish the string operation.

StringInsert(string='', **unused_kwargs)

Add to the string.

StringStart(**unused_kwargs)

Initialize the string.

binary_expression_cls

alias of BinaryExpression

expression_cls

alias of Expression

tokens = [<plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>]

class plaso.lib.lexer.SelfFeederMixIn(file_object=None)

Bases: plaso.lib.lexer.Lexer

This mixin is used to make a lexer which feeds itself.

Note that self.file_object must be the file object we read from.

Feed(size=512)

Feed data into the buffer.

Parameters:size – optional data size to read form the file-like object.

NextToken()

Retrieves the next token.

Returns:The next token (instance of Token) or None.

class plaso.lib.lexer.Token(state_regex, regex, actions, next_state, flags=2)

Bases: object

A token action.

plaso.lib.line_reader_file module

Binary line reader file-like object.

class plaso.lib.line_reader_file.BinaryDSVReader(binary_line_reader, delimiter)

Bases: object

Basic reader for delimiter separated text files of unknown encoding.

This is used for reading data from text files where the content is unknown, or possibly using a mixed encoding.

__iter__()

Iterates over delimiter separates values.

Yields:list(bytes) – lines of encoded bytes.

class plaso.lib.line_reader_file.BinaryLineReader(file_object, end_of_line=b'n')

Bases: object

Line reader for binary file-like objects.

end_of_line

bytes – byte sequence that separates lines from each other.

__enter__()

Enters a with statement.

__exit__(exception_type, value, traceback)

Exits a with statement.

__iter__()

Returns a line of text.

Yields:bytes – line of text.

readline(size=None)

Reads a single line of text.

The functions reads one entire line from the file-like object. A trailing end-of-line indicator (newline by default) is kept in the byte string (but may be absent when a file ends with an incomplete line). An empty byte string is returned only when end-of-file is encountered immediately.

Parameters:size (Optional[int]) – maximum byte size to read. If present and non-negative, it is a maximum byte count (including the trailing end-of-line) and an incomplete line may be returned. Returns:line of text. Return type:bytes Raises:ValueError – if the specified size is less than zero or greater than the maximum size allowed.

readlines(sizehint=None)

Reads lines of text.

The function reads until EOF using readline() and return a list containing the lines read.

Parameters:sizehint (Optional[int]) – maximum byte size to read. If present, instead of reading up to EOF, whole lines totalling sizehint bytes are read. Returns:lines of text. Return type:list[bytes]

tell()

Retrieves the current offset into the file-like object.

Returns:current offset into the file-like object. Return type:int

plaso.lib.loggers module

Logging related classes and functions.

class plaso.lib.loggers.CompressedFileHandler(filename, mode='a', encoding='utf-8')

Bases: logging.FileHandler

Compressed file handler for logging.

plaso.lib.loggers.ConfigureLogging(debug_output=False, filename=None, mode='w', quiet_mode=False)

Configures the logging root logger.

Parameters:

• debug_output (Optional[bool]) – True if the logging should include debug output.
• filename (Optional[str]) – log filename.
• mode (Optional[str]) – log file access mode.
• quiet_mode (Optional[bool]) – True if the logging should not include information output. Note that debug_output takes precedence over quiet_mode.

plaso.lib.objectfilter module

Classes to perform filtering of objects based on their data members.

Given a list of objects and a textual filter expression, these classes allow you to determine which objects match the filter. The system has two main pieces: A parser for the supported grammar and a filter implementation.

Given any complying user-supplied grammar, it is parsed with a custom lexer based on GRR’s lexer and then compiled into an actual implementation by using the filter implementation. A filter implementation simply provides actual implementations for the primitives required to perform filtering. The compiled result is always a class supporting the Filter interface.

If we define a class called Car such as:

class Car(object):

def __init__(self, code, color=”white”, doors=3):

self.code = code self.color = color self.doors = 3

And we have two instances:

ford_ka = Car(“FORDKA1”, color=”grey”) toyota_corolla = Car(“COROLLA1”, color=”white”, doors=5) fleet = [ford_ka, toyota_corolla]

We want to find cars that are grey and have 3 or more doors. We could filter our fleet like this:

criteria = “(color is grey) and (doors >= 3)” parser = ContextFilterParser(criteria).Parse() compiled_filter = parser.Compile(LowercaseAttributeFilterImp)

for car in fleet:

if compiled_filter.Matches(car):

print(“Car %s matches the supplied filter.” % car.code)

The filter expression contains two subexpressions joined by an AND operator:

“color is grey” and “doors >= 3”

This means we want to search for objects matching these two subexpressions. Let’s analyze the first one in depth “color is grey”:

“color”: the left operand specifies a search path to look for the data. This tells our filtering system to look for the color property on passed objects. “is”: the operator. Values retrieved for the “color” property will be checked against the right operand to see if they are equal. “grey”: the right operand. It specifies an explicit value to check for.

So each time an object is passed through the filter, it will expand the value of the color data member, and compare its value against “grey”.

Because data members of objects are often not simple datatypes but other objects, the system allows you to reference data members within other data members by separating each by a dot. Let’s see an example:

Let’s add a more complex Car class with default tyre data:

class CarWithTyres(Car):

def __init__(self, code, tyres=None, color=”white”, doors=3):

super(self, CarWithTyres).__init__(code, color, doors) tyres = tyres or Tyre(“Pirelli”, “PZERO”)

class Tyre(object):

def __init__(self, brand, code):

self.brand = brand self.code = code

And two new instances:

ford_ka = CarWithTyres(“FORDKA”, color=”grey”, tyres=Tyre(“AVON”, “ZT5”)) toyota_corolla = Car(“COROLLA1”, color=”white”, doors=5) fleet = [ford_ka, toyota_corolla]

To filter a car based on the tyre brand, we would use a search path of “tyres.brand”.

Because the filter implementation provides the actual classes that perform handling of the search paths, operators, etc. customizing the behaviour of the filter is easy. Three basic filter implementations are given:

BaseFilterImplementation: search path expansion is done on attribute names as provided (case-sensitive). LowercaseAttributeFilterImp: search path expansion is done on the lowercased attribute name, so that it only accesses attributes, not methods. DictFilterImplementation: search path expansion is done on dictionary access to the given object. So “a.b” expands the object obj to obj[“a”][“b”]

class plaso.lib.objectfilter.AndFilter(arguments=None, value_expander=None)

Bases: plaso.lib.objectfilter.Filter

Performs a boolean AND of the given Filter instances as arguments.

Note that if no conditions are passed, all objects will pass.

Matches(obj)

Whether object obj matches this filter.

class plaso.lib.objectfilter.AttributeValueExpander

Bases: plaso.lib.objectfilter.ValueExpander

An expander that gives values based on object attribute names.

class plaso.lib.objectfilter.BaseFilterImplementation

Bases: object

Defines the base implementation of an object filter by its attributes.

Inherit from this class, switch any of the needed operators and pass it to the Compile method of a parsed string to obtain an executable filter.

FILTERS = {'AndFilter': <class 'plaso.lib.objectfilter.AndFilter'>, 'Context': <class 'plaso.lib.objectfilter.Context'>, 'IdentityFilter': <class 'plaso.lib.objectfilter.IdentityFilter'>, 'OrFilter': <class 'plaso.lib.objectfilter.OrFilter'>, 'ValueExpander': <class 'plaso.lib.objectfilter.AttributeValueExpander'>}

OPS = {'!=': <class 'plaso.lib.objectfilter.NotEquals'>, '<': <class 'plaso.lib.objectfilter.Less'>, '<=': <class 'plaso.lib.objectfilter.LessEqual'>, '==': <class 'plaso.lib.objectfilter.Equals'>, '>': <class 'plaso.lib.objectfilter.Greater'>, '>=': <class 'plaso.lib.objectfilter.GreaterEqual'>, 'contains': <class 'plaso.lib.objectfilter.Contains'>, 'equals': <class 'plaso.lib.objectfilter.Equals'>, 'inlist': <class 'plaso.lib.pfilter.ParserList'>, 'inset': <class 'plaso.lib.objectfilter.InSet'>, 'iregexp': <class 'plaso.lib.objectfilter.RegexpInsensitive'>, 'is': <class 'plaso.lib.objectfilter.Equals'>, 'regexp': <class 'plaso.lib.objectfilter.Regexp'>}

class plaso.lib.objectfilter.BasicExpression

Bases: plaso.lib.lexer.Expression

Basic Expression.

Compile(filter_implementation)

Given a filter implementation, compile this expression.

FlipBool()

class plaso.lib.objectfilter.BinaryExpression(operator='', part=None)

Bases: plaso.lib.lexer.BinaryExpression

Compile(filter_implementation)

Compile the binary expression into a filter object.

class plaso.lib.objectfilter.BinaryOperator(arguments=None, **kwargs)

Bases: plaso.lib.objectfilter.Operator

Base class for binary operators.

The left operand is always a path into the object which will be expanded for values. The right operand is a value defined at initialization and is stored at self.right_operand.

class plaso.lib.objectfilter.Contains(**kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Whether the right operand is contained in the value.

Operation(x, y)

Performs the operation between two values.

class plaso.lib.objectfilter.Context(arguments=None, **kwargs)

Bases: plaso.lib.objectfilter.Operator

Restricts the child operators to a specific context within the object.

Solves the context problem. The context problem is the following: Suppose you store a list of loaded DLLs within a process. Suppose that for each of these DLLs you store the number of imported functions and each of the imported functions name.

Imagine that a malicious DLL is injected into processes and its indicators are that it only imports one function and that it is RegQueryValueEx. Yo’d write your indicator like this:

AndOperator(

Equal(“ImportedDLLs.ImpFunctions.Name”, “RegQueryValueEx”), Equal(“ImportedDLLs.NumImpFunctions”, “1”) )

Now imagine you have these two processes on a given system.

Process1 * __ImportedDlls

• __Name: “notevil.dll”
  • __ImpFunctions
    • __Name: “CreateFileA”
  • __NumImpFunctions: 1
• __Name: “alsonotevil.dll”
  • __ImpFunctions
    • __Name: “RegQueryValueEx”
    • __Name: “CreateFileA”
  • __NumImpFunctions: 2

Process2 * __ImportedDlls

• __Name: “evil.dll”
  • __ImpFunctions
    • __Name: “RegQueryValueEx”
  • __NumImpFunctions: 1

Both Process1 and Process2 match your query, as each of the indicators are evaluated separately. While you wanted to express “find me processes that have a DLL that has both one imported function and ReqQueryValueEx is in the list of imported functions”, your indicator actually means “find processes that have at least a DLL with 1 imported functions and at least one DLL that imports the ReqQueryValueEx function”.

To write such an indicator you need to specify a context of ImportedDLLs for these two clauses. Such that you convert your indicator to:

Context("ImportedDLLs",
        AndOperator(
          Equal("ImpFunctions.Name", "RegQueryValueEx"),
          Equal("NumImpFunctions", "1")
        ))

Context will execute the filter specified as the second parameter for each of the objects under “ImportedDLLs”, thus applying the condition per DLL, not per object and returning the right result.

Matches(obj)

Whether object obj matches this filter.

class plaso.lib.objectfilter.ContextExpression(attribute='', part=None)

Bases: plaso.lib.lexer.Expression

Represents the context operator.

Compile(filter_implementation)

Compile the expression.

SetExpression(expression)

Set the expression.

class plaso.lib.objectfilter.DictValueExpander

Bases: plaso.lib.objectfilter.ValueExpander

An expander that gets values from dictionary access to the object.

class plaso.lib.objectfilter.Equals(**kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Matches objects when the right operand equals the expanded value.

Operation(x, y)

Performs the operation between two values.

class plaso.lib.objectfilter.Filter(arguments=None, value_expander=None)

Bases: object

Base class for every filter.

Filter(objects)

Returns a list of objects that pass the filter.

Matches(obj)

Whether object obj matches this filter.

class plaso.lib.objectfilter.GenericBinaryOperator(**kwargs)

Bases: plaso.lib.objectfilter.BinaryOperator

Allows easy implementations of operators.

FlipBool()

Matches(obj)

Whether object obj matches this filter.

Operate(values)

Takes a list of values and if at least one matches, returns True.

Operation(x, y)

Performs the operation between two values.

plaso.lib.objectfilter.GetUnicodeString(value)

Attempts to convert the argument to a Unicode string.

Parameters:value (list|int|bytes|str) – value to convert. Returns:string representation of the argument. Return type:str

class plaso.lib.objectfilter.Greater(**kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Whether the expanded value > right_operand.

Operation(x, y)

Performs the operation between two values.

class plaso.lib.objectfilter.GreaterEqual(**kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Whether the expanded value >= right_operand.

Operation(x, y)

Performs the operation between two values.

class plaso.lib.objectfilter.IdentityFilter(arguments=None, value_expander=None)

Bases: plaso.lib.objectfilter.Operator

Matches(_)

Whether object obj matches this filter.

class plaso.lib.objectfilter.InSet(**kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Whether all values are contained within the right operand.

Operation(x, y)

Whether x is fully contained in y.

exception plaso.lib.objectfilter.InvalidNumberOfOperands

Bases: plaso.lib.errors.Error

The number of operands provided to this operator is wrong.

class plaso.lib.objectfilter.Less(**kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Whether the expanded value >= right_operand.

Operation(x, y)

Performs the operation between two values.

class plaso.lib.objectfilter.LessEqual(**kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Whether the expanded value <= right_operand.

Operation(x, y)

Performs the operation between two values.

class plaso.lib.objectfilter.LowercaseAttributeValueExpander

Bases: plaso.lib.objectfilter.AttributeValueExpander

An expander that lowercases all attribute names before access.

class plaso.lib.objectfilter.NotEquals(**kwargs)

Bases: plaso.lib.objectfilter.Equals

Matches when the right operand isn’t equal to the expanded value.

class plaso.lib.objectfilter.Operator(arguments=None, value_expander=None)

Bases: plaso.lib.objectfilter.Filter

Base class for all operators.

class plaso.lib.objectfilter.OrFilter(arguments=None, value_expander=None)

Bases: plaso.lib.objectfilter.Filter

Performs a boolean OR of the given Filter instances as arguments.

Note that if no conditions are passed, all objects will pass.

Matches(obj)

Whether object obj matches this filter.

class plaso.lib.objectfilter.Parser(data)

Bases: plaso.lib.lexer.SearchParser

Parses and generates an AST for a query written in the described language.

Examples of valid syntax:

size is 40 (name contains “Program Files” AND hash.md5 is “123abc”) @imported_modules (num_symbols = 14 AND symbol.name is “FindWindow”)

ContextOperator(string='', **unused_kwargs)

Error(message=None, _=None)

Raise an error message.

FlipAllowed()

Raise an error if the not keyword is used where it is not allowed.

FlipLogic(**unused_kwargs)

Flip the boolean logic of the expression.

If an expression is configured to return True when the condition is met this logic will flip that to False, and vice versa.

HexEscape(string, match, **unused_kwargs)

Converts a hex escaped string.

InsertArg(string='', **unused_kwargs)

Insert an arg to the current expression.

InsertFloatArg(string='', **unused_kwargs)

Inserts a Float argument.

InsertInt16Arg(string='', **unused_kwargs)

Inserts an Integer in base16 argument.

InsertIntArg(string='', **unused_kwargs)

Inserts an Integer argument.

Reduce()

Reduce the token stack into an AST.

StoreAttribute(string='', **kwargs)

Store the attribute.

StringEscape(string, match, **unused_kwargs)

Escape backslashes found inside a string quote.

Backslashes followed by anything other than [‘“rnbt.ws] will raise an Error.

Parameters:

• string – The string that matched.
• match – the match object (instance of re.MatchObject). Where match.group(1) contains the escaped code.

Raises:

ParseError – When the escaped string is not one of [‘“rnbt]

StringFinish(**unused_kwargs)

Finish the string operation.

binary_expression_cls

alias of BinaryExpression

context_cls

alias of ContextExpression

expression_cls

alias of BasicExpression

tokens = [<plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>]

class plaso.lib.objectfilter.Regexp(*children, **kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Whether the value matches the regexp in the right operand.

Operation(x, unused_y)

Performs the operation between two values.

class plaso.lib.objectfilter.RegexpInsensitive(*children, **kwargs)

Bases: plaso.lib.objectfilter.Regexp

Whether the value matches the regexp in the right operand.

class plaso.lib.objectfilter.UnaryOperator(operand, **kwargs)

Bases: plaso.lib.objectfilter.Operator

Base class for unary operators.

class plaso.lib.objectfilter.ValueExpander

Bases: object

Encapsulates the logic to expand values available in an object.

Once instantiated and called, this class returns all the values that follow a given field path.

Expand(obj, path)

Returns a list of all the values for the given path in the object obj.

Given a path such as [“sub1”, “sub2”] it returns all the values available in obj.sub1.sub2 as a list. sub1 and sub2 must be data attributes or properties.

If sub1 returns a list of objects, or a generator, Expand aggregates the values for the remaining path for each of the objects, thus returning a list of all the values under the given path for the input object.

Parameters:

• obj – An object that will be traversed for the given path
• path – A list of strings

Yields:

The values once the object is traversed.

FIELD_SEPARATOR = '.'

plaso.lib.pfilter module

An extension of the objectfilter to provide plaso specific options.

class plaso.lib.pfilter.BaseParser(data)

Bases: plaso.lib.objectfilter.Parser

Plaso version of the Parser.

expression_cls

alias of PlasoExpression

class plaso.lib.pfilter.DateCompareObject(data)

Bases: object

A specific class created for date comparison.

This object takes a date representation, whether that is a direct integer datetime object or a string presenting the date, and uses that for comparing against timestamps stored in microseconds in in microseconds since Jan 1, 1970 00:00:00 UTC.

This makes it possible to use regular comparison operators for date, irrelevant of the format the date comes in, since plaso stores all timestamps in the same format, which is an integer/long, it is a simple manner of changing the input into the same format (int) and compare that.

__cmp__(x)

A simple comparison operation.

__eq__(x)

Check if equal.

__ge__(x)

Greater or equal comparison.

__gt__(x)

Greater comparison.

__le__(x)

Less or equal comparison.

__lt__(x)

Less comparison

__ne__(x)

Check if not equal.

__str__()

Return a string representation of the object.

class plaso.lib.pfilter.DictObject(dict_object)

Bases: object

A simple object representing a dict object.

To filter against an object that is stored as a dictionary the dict is converted into a simple object. Since keys can contain spaces and/or other symbols they are stripped out to make filtering work like it is another object.

Example dict:

{'A value': 234,
 'this (my) key_': 'value',
 'random': True,
}

This object would then allow access to object.thismykey that would access the key ‘this (my) key_’ inside the dict.

__getattr__(attr)

Return back entries from the dictionary.

class plaso.lib.pfilter.ParserList(*children, **kwargs)

Bases: plaso.lib.objectfilter.GenericBinaryOperator

Matches when a parser is inside a predefined list of parsers.

Operation(x, unused_y)

Return a bool depending on the parser list contains the parser.

class plaso.lib.pfilter.PlasoAttributeFilterImplementation

Bases: plaso.lib.objectfilter.BaseFilterImplementation

Does field name access on the lowercase version of names.

Useful to only access attributes and properties with Google’s python naming style.

FILTERS = {'AndFilter': <class 'plaso.lib.objectfilter.AndFilter'>, 'Context': <class 'plaso.lib.objectfilter.Context'>, 'IdentityFilter': <class 'plaso.lib.objectfilter.IdentityFilter'>, 'OrFilter': <class 'plaso.lib.objectfilter.OrFilter'>, 'ValueExpander': <class 'plaso.lib.pfilter.PlasoValueExpander'>}

OPS = {'!=': <class 'plaso.lib.objectfilter.NotEquals'>, '<': <class 'plaso.lib.objectfilter.Less'>, '<=': <class 'plaso.lib.objectfilter.LessEqual'>, '==': <class 'plaso.lib.objectfilter.Equals'>, '>': <class 'plaso.lib.objectfilter.Greater'>, '>=': <class 'plaso.lib.objectfilter.GreaterEqual'>, 'contains': <class 'plaso.lib.objectfilter.Contains'>, 'equals': <class 'plaso.lib.objectfilter.Equals'>, 'inlist': <class 'plaso.lib.pfilter.ParserList'>, 'inset': <class 'plaso.lib.objectfilter.InSet'>, 'iregexp': <class 'plaso.lib.objectfilter.RegexpInsensitive'>, 'is': <class 'plaso.lib.objectfilter.Equals'>, 'regexp': <class 'plaso.lib.objectfilter.Regexp'>}

class plaso.lib.pfilter.PlasoExpression

Bases: plaso.lib.objectfilter.BasicExpression

A Plaso specific expression.

Compile(filter_implementation)

Compiles the filter implementation.

Parameters:filter_implementation – a filter object (instance of objectfilter.TODO). Returns:A filter operator (instance of TODO). Raises:ParserError – if an unknown operator is provided.

swap_source = {'date': 'timestamp', 'datetime': 'timestamp', 'description': 'message', 'description_long': 'message', 'description_short': 'message_short', 'time': 'timestamp'}

class plaso.lib.pfilter.PlasoValueExpander

Bases: plaso.lib.objectfilter.AttributeValueExpander

An expander that gives values based on object attribute names.

class plaso.lib.pfilter.TimeRangeCache

Bases: object

A class that stores time ranges from filters.

classmethod GetTimeRange()

Return the first and last timestamp of filter range.

MAX_INT64 = 18446744073709551615

classmethod SetLowerTimestamp(timestamp)

Sets the lower bound timestamp.

classmethod SetUpperTimestamp(timestamp)

Sets the upper bound timestamp.

plaso.lib.plist module

The plist file object.

class plaso.lib.plist.PlistFile

Bases: object

Class that defines a plist file.

root_key

dict – the plist root key.

GetValueByPath(path_segments)

Retrieves a plist value by path.

Parameters:path_segments (list[str]) – path segment strings relative to the root of the plist. Returns:The value of the key specified by the path or None. Return type:object

Read(file_object)

Reads a plist from a file-like object.

Parameters:file_object (dfvfs.FileIO) – a file-like object containing plist data. Raises:IOError – if the plist file-like object cannot be read.

plaso.lib.py2to3 module

The Python 2 and 3 compatible type definitions.

plaso.lib.specification module

The format specification classes.

class plaso.lib.specification.FormatSpecification(identifier, text_format=False)

Bases: object

The format specification.

AddNewSignature(pattern, offset=None)

Adds a signature.

Parameters:

• pattern (bytes) – pattern of the signature.
• offset (int) – offset of the signature. None is used to indicate the signature has no offset. A positive offset is relative from the start of the data a negative offset is relative from the end of the data.

IsTextFormat()

Determines if the format is a text format.

Returns:True if the format is a text format, False otherwise. Return type:bool

class plaso.lib.specification.FormatSpecificationStore

Bases: object

The store for format specifications.

AddNewSpecification(identifier)

Adds a new format specification.

Parameters:identifier (str) – format identifier, which should be unique for the store. Returns:format specification. Return type:FormatSpecification Raises:KeyError – if the store already contains a specification with the same identifier.

AddSpecification(specification)

Adds a format specification.

Parameters:specification (FormatSpecification) – format specification. Raises:KeyError – if the store already contains a specification with the same identifier.

GetSpecificationBySignature(signature_identifier)

Retrieves a specification mapped to a signature identifier.

Parameters:signature_identifier (str) – unique signature identifier for a specification store. Returns:

format specification or None if the signature

identifier does not exist within the specification store.

Return type:FormatSpecification

specifications

iterator – specifications iterator.

class plaso.lib.specification.Signature(pattern, offset=None)

Bases: object

The format specification signature.

The signature consists of a byte string pattern, an optional offset relative to the start of the data, and a value to indicate if the pattern is bound to the offset.

SetIdentifier(identifier)

Sets the identifier of the signature in the specification store.

Parameters:identifier (str) – unique signature identifier for a specification store.

plaso.lib.timelib module

Time manipulation functions and variables.

This module contain common methods that can be used to convert timestamps from various formats into number of micro seconds since January 1, 1970, 00:00:00 UTC that is used internally to store timestamps.

It also contains various functions to represent timestamps in a more human readable form.

plaso.lib.timelib.GetCurrentYear()

Determines the current year.

plaso.lib.timelib.GetYearFromPosixTime(posix_time, timezone=<Mock id='140103227468712'>)

Gets the year from a POSIX timestamp

The POSIX time is the number of seconds since 1970-01-01 00:00:00 UTC.

Parameters:

• posix_time – An integer containing the number of seconds since 1970-01-01 00:00:00 UTC.
• timezone – Optional timezone of the POSIX timestamp.

Returns:

The year of the POSIX timestamp.

Raises:

ValueError – If the posix timestamp is out of the range of supported values.

class plaso.lib.timelib.Timestamp

Bases: object

Class for converting timestamps to Plaso timestamps.

The Plaso timestamp is a 64-bit signed timestamp value containing: micro seconds since 1970-01-01 00:00:00.

The timestamp is not necessarily in UTC.

classmethod CopyFromString(time_string)

Copies a timestamp from a string containing a date and time value.

Parameters:time_string – A string containing a date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and timezone offset are optional. The default timezone is UTC. Returns:The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC. Raises:ValueError – if the time string is invalid or not supported.

classmethod CopyToDatetime(timestamp, timezone, raise_error=False)

Copies the timestamp to a datetime object.

Parameters:

• timestamp – The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.
• timezone – The timezone (pytz.timezone) object.
• raise_error – Boolean that if set to True will not absorb an OverflowError if the timestamp is out of bounds. By default there will be no error raised.

Returns:

A datetime object (instance of datetime.datetime). A datetime object of January 1, 1970 00:00:00 UTC is returned on error if raises_error is not set.

Raises:

• OverflowError – If raises_error is set to True and an overflow error occurs.
• ValueError – If raises_error is set to True and no timestamp value is provided.

classmethod CopyToIsoFormat(timestamp, timezone=<Mock id='140103227468096'>, raise_error=False)

Copies the timestamp to an ISO 8601 formatted string.

Parameters:

• timestamp – The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.
• timezone – Optional timezone (instance of pytz.timezone).
• raise_error – Boolean that if set to True will not absorb an OverflowError if the timestamp is out of bounds. By default there will be no error raised.

Returns:

A string containing an ISO 8601 formatted date and time.

classmethod FromTimeString(time_string, dayfirst=False, gmt_as_timezone=True, timezone=<Mock id='140103227468208'>)

Converts a string containing a date and time value into a timestamp.

Parameters:

• time_string – String that contains a date and time value.
• dayfirst – An optional boolean argument. If set to true then the parser will change the precedence in which it parses timestamps from MM-DD-YYYY to DD-MM-YYYY (and YYYY-MM-DD will be YYYY-DD-MM, etc).
• gmt_as_timezone – Sometimes the dateutil parser will interpret GMT and UTC the same way, that is not make a distinction. By default this is set to true, that is GMT can be interpreted differently than UTC. If that is not the expected result this attribute can be set to false.
• timezone – Optional timezone object (instance of pytz.timezone) that the data and time value in the string represents. This value is used when the timezone cannot be determined from the string.

Returns:

The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC or 0 on error.

Raises:

TimestampError – if the time string could not be parsed.

classmethod GetNow()

Retrieves the current time (now) as a timestamp in UTC.

Returns:The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.

classmethod LocaltimeToUTC(timestamp, timezone, is_dst=False)

Converts the timestamp in localtime of the timezone to UTC.

Parameters:

• timestamp – The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.
• timezone – The timezone (pytz.timezone) object.
• is_dst – A boolean to indicate the timestamp is corrected for daylight savings time (DST) only used for the DST transition period.

Returns:

The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC or 0 on error.

NONE_TIMESTAMP = 0

classmethod RoundToSeconds(timestamp)

Takes a timestamp value and rounds it to a second precision.

Module contents

plaso.multi_processing package

Submodules

plaso.multi_processing.analysis_process module

The multi-process analysis process.

class plaso.multi_processing.analysis_process.AnalysisProcess(event_queue, storage_writer, knowledge_base, analysis_plugin, processing_configuration, data_location=None, event_filter_expression=None, **kwargs)

Bases: plaso.multi_processing.base_process.MultiProcessBaseProcess

Multi-processing analysis process.

SignalAbort()

Signals the process to abort.

plaso.multi_processing.base_process module

Base class for a process used in multi-processing.

class plaso.multi_processing.base_process.MultiProcessBaseProcess(processing_configuration, enable_sigsegv_handler=False, **kwargs)

Bases: multiprocessing.context.Process

Multi-processing process interface.

rpc_port

int – port number of the process status RPC server.

SignalAbort()

Signals the process to abort.

name

str – process name.

run()

Runs the process.

plaso.multi_processing.engine module

The multi-process processing engine.

class plaso.multi_processing.engine.MultiProcessEngine

Bases: plaso.engine.engine.BaseEngine

Multi-process engine base.

This class contains functionality to: * monitor and manage worker processes; * retrieve a process status information via RPC; * manage the status update thread.

plaso.multi_processing.logger module

The multi-processing sub module logger.

plaso.multi_processing.multi_process_queue module

A multiprocessing-backed queue.

class plaso.multi_processing.multi_process_queue.MultiProcessingQueue(maximum_number_of_queued_items=0, timeout=None)

Bases: plaso.engine.plaso_queue.Queue

Multi-processing queue.

Close(abort=False)

Closes the queue.

This needs to be called from any process or thread putting items onto the queue.

Parameters:abort (Optional[bool]) – True if the close was issued on abort.

Empty()

Empties the queue.

IsEmpty()

Determines if the queue is empty.

Open()

Opens the queue.

PopItem()

Pops an item off the queue.

Returns:

item from the queue.

Return type:

object

Raises:

• QueueClose – if the queue has already been closed.
• QueueEmpty – if no item could be retrieved from the queue within the specified timeout.

PushItem(item, block=True)

Pushes an item onto the queue.

Parameters:

• item (object) – item to add.
• block (Optional[bool]) – True to block the process when the queue is full.

Raises:

QueueFull – if the item could not be pushed the queue because it’s full.

plaso.multi_processing.plaso_xmlrpc module

XML RPC server and client.

class plaso.multi_processing.plaso_xmlrpc.ThreadedXMLRPCServer(callback)

Bases: plaso.multi_processing.rpc.RPCServer

Threaded XML RPC server.

Start(hostname, port)

Starts the process status RPC server.

Parameters:

• hostname (str) – hostname or IP address to connect to for requests.
• port (int) – port to connect to for requests.

Returns:

True if the RPC server was successfully started.

Return type:

bool

Stop()

Stops the process status RPC server.

class plaso.multi_processing.plaso_xmlrpc.XMLProcessStatusRPCClient

Bases: plaso.multi_processing.plaso_xmlrpc.XMLRPCClient

XML process status RPC client.

class plaso.multi_processing.plaso_xmlrpc.XMLProcessStatusRPCServer(callback)

Bases: plaso.multi_processing.plaso_xmlrpc.ThreadedXMLRPCServer

XML process status threaded RPC server.

class plaso.multi_processing.plaso_xmlrpc.XMLRPCClient

Bases: plaso.multi_processing.rpc.RPCClient

XML RPC client.

CallFunction()

Calls the function via RPC.

Close()

Closes the RPC communication channel to the server.

Open(hostname, port)

Opens a RPC communication channel to the server.

Parameters:

• hostname (str) – hostname or IP address to connect to for requests.
• port (int) – port to connect to for requests.

Returns:

True if the communication channel was established.

Return type:

bool

plaso.multi_processing.psort module

The psort multi-processing engine.

class plaso.multi_processing.psort.PsortEventHeap

Bases: object

Psort event heap.

PopEvent()

Pops an event from the heap.

Returns:containing:

str: identifier of the event MACB group or None if the event cannot

be grouped.

str: identifier of the event content. EventObject: event.

Return type:tuple

PopEvents()

Pops events from the heap.

Yields:EventObject – event.

PushEvent(event)

Pushes an event onto the heap.

Parameters:event (EventObject) – event.

number_of_events

int – number of events on the heap.

class plaso.multi_processing.psort.PsortMultiProcessEngine(use_zeromq=True)

Bases: plaso.multi_processing.engine.MultiProcessEngine

Psort multi-processing engine.

AnalyzeEvents(knowledge_base_object, storage_writer, data_location, analysis_plugins, processing_configuration, event_filter=None, event_filter_expression=None, status_update_callback=None, worker_memory_limit=None)

Analyzes events in a plaso storage.

Parameters:

• knowledge_base_object (KnowledgeBase) – contains information from the source data needed for processing.
• storage_writer (StorageWriter) – storage writer.
• data_location (str) – path to the location that data files should be loaded from.
• analysis_plugins (dict[str, AnalysisPlugin]) – analysis plugins that should be run and their names.
• processing_configuration (ProcessingConfiguration) – processing configuration.
• event_filter (Optional[FilterObject]) – event filter.
• event_filter_expression (Optional[str]) – event filter expression.
• status_update_callback (Optional[function]) – callback function for status updates.
• worker_memory_limit (Optional[int]) – maximum amount of memory a worker is allowed to consume, where None represents the default memory limit and 0 represents no limit.

Raises:

KeyboardInterrupt – if a keyboard interrupt was raised.

ExportEvents(knowledge_base_object, storage_reader, output_module, processing_configuration, deduplicate_events=True, event_filter=None, status_update_callback=None, time_slice=None, use_time_slicer=False)

Exports events using an output module.

Parameters:

• knowledge_base_object (KnowledgeBase) – contains information from the source data needed for processing.
• storage_reader (StorageReader) – storage reader.
• output_module (OutputModule) – output module.
• processing_configuration (ProcessingConfiguration) – processing configuration.
• deduplicate_events (Optional[bool]) – True if events should be deduplicated.
• event_filter (Optional[FilterObject]) – event filter.
• status_update_callback (Optional[function]) – callback function for status updates.
• time_slice (Optional[TimeSlice]) – slice of time to output.
• use_time_slicer (Optional[bool]) – True if the ‘time slicer’ should be used. The ‘time slicer’ will provide a context of events around an event of interest.

Returns:

counter that tracks the number of events extracted

from storage.

Return type:

collections.Counter

plaso.multi_processing.rpc module

The RPC client and server interface.

class plaso.multi_processing.rpc.RPCClient

Bases: object

RPC client interface.

CallFunction()

Calls the function via RPC.

Close()

Closes the RPC communication channel to the server.

Open(hostname, port)

Opens a RPC communication channel to the server.

Parameters:

• hostname (str) – hostname or IP address to connect to for requests.
• port (int) – port to connect to for requests.

Returns:

True if the communication channel was established.

Return type:

bool

class plaso.multi_processing.rpc.RPCServer(callback)

Bases: object

RPC server interface.

Start(hostname, port)

Starts the RPC server.

Parameters:

• hostname (str) – hostname or IP address to connect to for requests.
• port (int) – port to connect to for requests.

Returns:

True if the RPC server was successfully started.

Return type:

bool

Stop()

Stops the RPC server.

plaso.multi_processing.task_engine module

The task multi-process processing engine.

class plaso.multi_processing.task_engine.TaskMultiProcessEngine(maximum_number_of_tasks=10000, use_zeromq=True)

Bases: plaso.multi_processing.engine.MultiProcessEngine

Class that defines the task multi-process engine.

This class contains functionality to: * monitor and manage extraction tasks; * merge results returned by extraction workers.

ProcessSources(session_identifier, source_path_specs, storage_writer, processing_configuration, enable_sigsegv_handler=False, filter_find_specs=None, number_of_worker_processes=0, status_update_callback=None, worker_memory_limit=None)

Processes the sources and extract events.

Parameters:

• session_identifier (str) – identifier of the session.
• source_path_specs (list[dfvfs.PathSpec]) – path specifications of the sources to process.
• storage_writer (StorageWriter) – storage writer for a session storage.
• processing_configuration (ProcessingConfiguration) – processing configuration.
• enable_sigsegv_handler (Optional[bool]) – True if the SIGSEGV handler should be enabled.
• filter_find_specs (Optional[list[dfvfs.FindSpec]]) – find specifications used in path specification extraction.
• number_of_worker_processes (Optional[int]) – number of worker processes.
• status_update_callback (Optional[function]) – callback function for status updates.
• worker_memory_limit (Optional[int]) – maximum amount of memory a worker is allowed to consume, where None represents the default memory limit and 0 represents no limit.

Returns:

processing status.

Return type:

ProcessingStatus

plaso.multi_processing.task_manager module

The task manager.

class plaso.multi_processing.task_manager.TaskManager

Bases: object

Manages tasks and tracks their completion and status.

A task being tracked by the manager must be in exactly one of the following states:

• abandoned: a task assumed to be abandoned because a tasks that has been

  queued or was processing exceeds the maximum inactive time.

• merging: a task that is being merged by the engine.

• pending_merge: the task has been processed and is ready to be merged with

  the session storage.

• processed: a worker has completed processing the task, but it is not ready

  to be merged into the session storage.

• processing: a worker is processing the task.

• queued: the task is waiting for a worker to start processing it. It is also

  possible that a worker has already completed the task, but no status update was collected from the worker while it processed the task.

Once the engine reports that a task is completely merged, it is removed from the task manager.

Tasks are considered “pending” when there is more work that needs to be done to complete these tasks. Pending applies to tasks that are: * not abandoned; * abandoned, but need to be retried.

Abandoned tasks without corresponding retry tasks are considered “failed” when the foreman is done processing.

CheckTaskToMerge(task)

Checks if the task should be merged.

Parameters:task (Task) – task. Returns:True if the task should be merged. Return type:bool Raises:KeyError – if the task was not queued, processing or abandoned.

CompleteTask(task)

Completes a task.

The task is complete and can be removed from the task manager.

Parameters:task (Task) – task. Raises:KeyError – if the task was not merging.

CreateRetryTask()

Creates a task that to retry a previously abandoned task.

Returns:

a task that was abandoned but should be retried or None if there are

no abandoned tasks that should be retried.

Return type:Task

CreateTask(session_identifier)

Creates a task.

Parameters:session_identifier (str) – the identifier of the session the task is part of. Returns:task attribute container. Return type:Task

GetFailedTasks()

Retrieves all failed tasks.

Failed tasks are tasks that were abandoned and have no retry task once the foreman is done processing.

Returns:tasks. Return type:list[Task]

GetProcessedTaskByIdentifier(task_identifier)

Retrieves a task that has been processed.

Parameters:task_identifier (str) – unique identifier of the task. Returns:a task that has been processed. Return type:Task Raises:KeyError – if the task was not processing, queued or abandoned.

GetStatusInformation()

Retrieves status information about the tasks.

Returns:tasks status information. Return type:TasksStatus

GetTaskPendingMerge(current_task)

Retrieves the first task that is pending merge or has a higher priority.

This function will check if there is a task with a higher merge priority than the current_task being merged. If so, that task with the higher priority is returned.

Parameters:current_task (Task) – current task being merged or None if no such task. Returns:

the next task to merge or None if there is no task pending merge or

with a higher priority.

Return type:Task

HasPendingTasks()

Determines if there are tasks running or in need of retrying.

Returns:

True if there are tasks that are active, ready to be merged or

need to be retried.

Return type:bool

RemoveTask(task)

Removes an abandoned task.

Parameters:task (Task) – task. Raises:KeyError – if the task was not abandoned or the task was abandoned and was not retried.

SampleTaskStatus(task, status)

Takes a sample of the status of the task for profiling.

Parameters:

• task (Task) – a task.
• status (str) – status.

StartProfiling(configuration, identifier)

Starts profiling.

Parameters:

• configuration (ProfilingConfiguration) – profiling configuration.
• identifier (str) – identifier of the profiling session used to create the sample filename.

StopProfiling()

Stops profiling.

UpdateTaskAsPendingMerge(task)

Updates the task manager to reflect the task is ready to be merged.

Parameters:task (Task) – task. Raises:KeyError – if the task was not queued, processing or abandoned, or the task was abandoned and has a retry task.

UpdateTaskAsProcessingByIdentifier(task_identifier)

Updates the task manager to reflect the task is processing.

Parameters:task_identifier (str) – unique identifier of the task. Raises:KeyError – if the task is not known to the task manager.

plaso.multi_processing.worker_process module

The multi-process worker process.

class plaso.multi_processing.worker_process.WorkerProcess(task_queue, storage_writer, knowledge_base, session_identifier, processing_configuration, **kwargs)

Bases: plaso.multi_processing.base_process.MultiProcessBaseProcess

Class that defines a multi-processing worker process.

SignalAbort()

Signals the process to abort.

Module contents

plaso.output package

Submodules

plaso.output.dynamic module

Contains a formatter for a dynamic output module for plaso.

class plaso.output.dynamic.DynamicFieldsHelper(output_mediator)

Bases: object

Helper for outputting a dynamic selection of fields.

GetFormattedField(event, field_name)

Formats the specified field.

Parameters:

• event (EventObject) – event.
• field_name (str) – name of the field.

Returns:

value of the field.

Return type:

str

class plaso.output.dynamic.DynamicOutputModule(output_mediator)

Bases: plaso.output.interface.LinearOutputModule

Dynamic selection of fields for a separated value output format.

DESCRIPTION = 'Dynamic selection of fields for a separated value output format.'

NAME = 'dynamic'

SetFieldDelimiter(field_delimiter)

Sets the field delimiter.

Parameters:field_delimiter (str) – field delimiter.

SetFields(fields)

Sets the fields to output.

Parameters:fields (list[str]) – names of the fields to output.

WriteEventBody(event)

Writes the body of an event to the output.

Parameters:event (EventObject) – event.

WriteHeader()

Writes the header to the output.

plaso.output.elastic module

An output module that saves events to Elasticsearch.

class plaso.output.elastic.Elasticsearch5OutputModule(output_mediator)

Bases: plaso.output.shared_elastic.SharedElasticsearch5OutputModule

Output module for Elasticsearch 5.

DESCRIPTION = 'Saves the events into an Elasticsearch5 database.'

NAME = 'elastic5'

SetRawFields(raw_fields)

Set raw (non-analyzed) fields.

This is used for sorting and aggregations in Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/reference/5.6/ mapping-types.html#_multi_fields

Parameters:raw_fields (bool) – True if raw (non-analyzed) fields should be added.

WriteHeader()

Connects to the Elasticsearch server and creates the index.

class plaso.output.elastic.ElasticsearchOutputModule(output_mediator)

Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Output module for Elasticsearch.

DESCRIPTION = 'Saves the events into an Elasticsearch database.'

NAME = 'elastic'

SetRawFields(raw_fields)

Set raw (non-analyzed) fields.

This is used for sorting and aggregations in Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/guide/current/ multi-fields.html

Parameters:raw_fields (bool) – True if raw (non-analyzed) fields should be added.

WriteHeader()

Connects to the Elasticsearch server and creates the index.

plaso.output.interface module

This file contains the output module interface classes.

class plaso.output.interface.LinearOutputModule(output_mediator)

Bases: plaso.output.interface.OutputModule

Linear output module.

Close()

Closes the output.

SetOutputWriter(output_writer)

Set the output writer.

Parameters:output_writer (CLIOutputWriter) – output writer.

class plaso.output.interface.OutputModule(output_mediator)

Bases: object

Output module interface.

Close()

Closes the output.

DESCRIPTION = ''

GetMissingArguments()

Retrieves arguments required by the module that have not been specified.

Returns:

names of argument that are required by the module and have

not been specified.

Return type:list[str]

NAME = ''

Open()

Opens the output.

WriteEvent(event)

Writes the event to the output.

Parameters:event (EventObject) – event.

WriteEventBody(event)

Writes event values to the output.

Parameters:event (EventObject) – event that contains the event values.

WriteEventEnd()

Writes the end of an event to the output.

Can be used for post-processing or output after an individual event has been written, such as writing closing XML tags, etc.

WriteEventMACBGroup(event_macb_group)

Writes an event MACB group to the output.

An event MACB group is a group of events that have the same timestamp and event data (attributes and values), where the timestamp description (or usage) is one or more of MACB (modification, access, change, birth).

This function is called if the psort engine detected an event MACB group so that the output module, if supported, can represent the group as such. If not overridden this function will output every event individually.

Parameters:event_macb_group (list[EventObject]) – group of events with identical timestamps, attributes and values.

WriteEventStart()

Writes the start of an event to the output.

Can be used for pre-processing or output before an individual event has been written, such as writing opening XML tags, etc.

WriteFooter()

Writes the footer to the output.

Can be used for post-processing or output after the last event is written, such as writing a file footer.

WriteHeader()

Writes the header to the output.

Can be used for pre-processing or output before the first event is written, such as writing a file header.

plaso.output.json_line module

Output module that saves data into a JSON line format.

JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity.

class plaso.output.json_line.JSONLineOutputModule(output_mediator)

Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON line format.

DESCRIPTION = 'Saves the events into a JSON line format.'

NAME = 'json_line'

WriteEventBody(event)

Writes the body of an event object to the output.

Parameters:event (EventObject) – event.

plaso.output.json_out module

Output module that saves data into a JSON format.

class plaso.output.json_out.JSONOutputModule(output_mediator)

Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON format.

DESCRIPTION = 'Saves the events into a JSON format.'

NAME = 'json'

WriteEventBody(event)

Writes the body of an event object to the output.

Parameters:event (EventObject) – event.

WriteFooter()

Writes the footer to the output.

WriteHeader()

Writes the header to the output.

plaso.output.kml module

An output module that writes event with geography data to a KML XML file.

The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within Internet-based, two-dimensional maps and three-dimensional Earth browsers.

class plaso.output.kml.KMLOutputModule(output_mediator)

Bases: plaso.output.interface.LinearOutputModule

Output module for a Keyhole Markup Language (KML) XML file.

DESCRIPTION = 'Saves events with geography data into a KML format.'

NAME = 'kml'

WriteEventBody(event)

Writes the body of an event to the output.

Parameters:event (EventObject) – event.

WriteFooter()

Writes the footer to the output.

WriteHeader()

Writes the header to the output.

plaso.output.l2t_csv module

Output module for the log2timeline (L2T) CSV format.

For documentation on the L2T CSV format see: http://forensicswiki.org/wiki/L2T_CSV

class plaso.output.l2t_csv.L2TCSVOutputModule(output_mediator)

Bases: plaso.output.interface.LinearOutputModule

CSV format used by log2timeline, with 17 fixed fields.

DESCRIPTION = 'CSV format used by legacy log2timeline, with 17 fixed fields.'

NAME = 'l2tcsv'

WriteEventBody(event)

Writes the body of an event object to the output.

Parameters:event (EventObject) – event. Raises:NoFormatterFound – If no event formatter can be found to match the data type in the event object.

WriteEventMACBGroup(event_macb_group)

Writes an event MACB group to the output.

Parameters:event_macb_group (list[EventObject]) – event MACB group.

WriteHeader()

Writes the header to the output.

plaso.output.logger module

The output sub module logger.

plaso.output.manager module

Output plugin manager.

class plaso.output.manager.OutputManager

Bases: object

Output module manager.

classmethod DeregisterOutput(output_class)

Deregisters an output class.

The output classes are identified based on their NAME attribute.

Parameters:output_class (type) – output module class. Raises:KeyError – if output class is not set for the corresponding data type.

classmethod GetDisabledOutputClasses()

Retrieves the disabled output classes and its associated name.

Yields:tuple[str, type] – output module name and class.

classmethod GetOutputClass(name)

Retrieves the output class for a specific name.

Parameters:

name (str) – name of the output module.

Returns:

output module class.

Return type:

type

Raises:

• KeyError – if there is no output class found with the supplied name.
• ValueError – if name is not a string.

classmethod GetOutputClasses()

Retrieves the available output classes its associated name.

Yields:tuple[str, type] – output class name and type object.

classmethod HasOutputClass(name)

Determines if a specific output class is registered with the manager.

Parameters:name (str) – name of the output module. Returns:True if the output class is registered. Return type:bool

classmethod IsLinearOutputModule(name)

Determines if a specific output class is a linear output module.

Parameters:name (str) – name of the output module. Returns:if the output module is linear. Return type:True

classmethod NewOutputModule(name, output_mediator)

Creates a new output module object for the specified output format.

Parameters:

• name (str) – name of the output module.
• output_mediator (OutputMediator) – output mediator.

Returns:

output module.

Return type:

OutputModule

Raises:

• KeyError – if there is no output class found with the supplied name.
• ValueError – if name is not a string.

classmethod RegisterOutput(output_class, disabled=False)

Registers an output class.

The output classes are identified based on their NAME attribute.

Parameters:

• output_class (type) – output module class.
• disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises:

KeyError – if output class is already set for the corresponding name.

classmethod RegisterOutputs(output_classes, disabled=False)

Registers output classes.

The output classes are identified based on their NAME attribute.

Parameters:

• output_classes (list[type]) – output module classes.
• disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises:

KeyError – if output class is already set for the corresponding name.

plaso.output.mediator module

The output mediator object.

class plaso.output.mediator.OutputMediator(knowledge_base, formatter_mediator, fields_filter=None, preferred_encoding='utf-8')

Bases: object

Output mediator.

fields_filter

FilterObject – filter object that indicates which fields to output.

GetEventFormatter(event)

Retrieves the event formatter for a specific event type.

Parameters:event (EventObject) – event. Returns:event formatter or None. Return type:EventFormatter

GetFormatStringAttributeNames(event)

Retrieves the attribute names in the format string.

Parameters:event (EventObject) – event. Returns:

list containing the attribute names. If no event formatter to

match the event can be found the function returns None.

Return type:list[str]

GetFormattedMessages(event)

Retrieves the formatted messages related to the event.

Parameters:event (EventObject) – event. Returns:containing:

str: full message string or None if no event formatter was found. str: short message string or None if no event formatter was found.

Return type:tuple

GetFormattedSources(event)

Retrieves the formatted sources related to the event.

Parameters:event (EventObject) – event. Returns:containing:

str: full source string or None if no event formatter was found. str: short source string or None if no event formatter was found.

Return type:tuple

GetHostname(event, default_hostname='-')

Retrieves the hostname related to the event.

Parameters:

• event (EventObject) – event.
• default_hostname (Optional[str]) – default hostname.

Returns:

hostname.

Return type:

str

GetMACBRepresentation(event)

Retrieves the MACB representation.

Parameters:event (EventObject) – event. Returns:MACB representation. Return type:str

GetMACBRepresentationFromDescriptions(timestamp_descriptions)

Determines the MACB representation from the timestamp descriptions.

MACB representation is a shorthand for representing one or more of modification, access, change, birth timestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.

Note that this is an output format shorthand and does not guarantee that the timestamps represent the same occurrence.

Parameters:timestamp_descriptions (list[str]) – timestamp descriptions, which are defined in definitions.TIME_DESCRIPTIONS. Returns:MACB representation. Return type:str

GetStoredHostname()

Retrieves the stored hostname.

Returns:hostname. Return type:str

GetUsername(event, default_username='-')

Retrieves the username related to the event.

Parameters:

• event (EventObject) – event.
• default_username (Optional[str]) – default username.

Returns:

username.

Return type:

str

SetTimezone(timezone)

Sets the timezone.

Parameters:timezone (str) – timezone. Raises:ValueError – if the timezone is not supported.

encoding

str – preferred encoding.

filter_expression

str – filter expression if a filter is set, None otherwise.

timezone

The timezone.

plaso.output.mysql_4n6time module

Defines the output module for the MySQL database used by 4n6time.

class plaso.output.mysql_4n6time.MySQL4n6TimeOutputModule(output_mediator)

Bases: plaso.output.shared_4n6time.Shared4n6TimeOutputModule

Class defining the MySQL database output module for 4n6time.

Close()

Disconnects from the database.

This method will create the necessary indices and commit outstanding transactions before disconnecting.

DESCRIPTION = 'MySQL database output for the 4n6time tool.'

NAME = '4n6time_mysql'

Open()

Connects to the database and creates the required tables.

Raises:

• IOError – If Unable to insert into database.
• ValueError – If no database name given.

SetCredentials(password=None, username=None)

Sets the database credentials.

Parameters:

• password (Optional[str]) – password to access the database.
• username (Optional[str]) – username to access the database.

SetDatabaseName(name)

Sets the database name.

Parameters:name (str) – name of the database.

SetServerInformation(server, port)

Sets the server information.

Parameters:

• server (str) – hostname or IP address of the database server.
• port (int) – port number of the database server.

WriteEventBody(event)

Writes the body of an event object to the output.

Parameters:event (EventObject) – event.

plaso.output.null module

Null device output module.

class plaso.output.null.NullOutputModule(output_mediator)

Bases: plaso.output.interface.OutputModule

Null device output module.

DESCRIPTION = 'Output module that does not output anything.'

NAME = 'null'

WriteEventBody(event)

Writes the event object to the output.

Since this is the null output module nothing is actually written.

Parameters:event (EventObject) – event.

plaso.output.rawpy module

Output module for the “raw” (or native) Python format.

class plaso.output.rawpy.NativePythonFormatterHelper

Bases: object

Helper for outputting as “raw” (or native) Python.

classmethod GetFormattedEventObject(event)

Retrieves a string representation of the event.

Parameters:event (EventObject) – event. Returns:string representation of the event. Return type:str

class plaso.output.rawpy.NativePythonOutputModule(output_mediator)

Bases: plaso.output.interface.LinearOutputModule

Output module for the “raw” (or native) Python output format.

DESCRIPTION = '"raw" (or native) Python output.'

NAME = 'rawpy'

WriteEventBody(event)

Writes the body of an event to the output.

Parameters:event (EventObject) – event.

plaso.output.shared_4n6time module

Shared functionality for 4n6time output modules.

class plaso.output.shared_4n6time.Shared4n6TimeOutputModule(output_mediator)

Bases: plaso.output.interface.OutputModule

Shared functionality for an 4n6time output module.

NAME = '4n6time_shared'

SetAppendMode(append)

Set the append status.

Parameters:append (bool) – True if the events should be added to the database.

SetEvidence(evidence)

Set the evidence field.

Parameters:evidence (str) – the evidence field.

SetFields(fields)

Set the fields that will be indexed in the database.

Parameters:fields (list[str]) – a list of fields that should be indexed.

SetStatusObject(status_object)

Set the status object.

Parameters:status_object (object) – status object provided by the 4n6time tool.

plaso.output.shared_elastic module

Shared code for Elasticsearch based output modules.

class plaso.output.shared_elastic.SharedElasticsearch5OutputModule(output_mediator)

Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Shared output module for Elasticsearch 5.

class plaso.output.shared_elastic.SharedElasticsearchOutputModule(output_mediator)

Bases: plaso.output.interface.OutputModule

Shared functionality for an Elasticsearch output module.

Close()

Closes connection to Elasticsearch.

Inserts any remaining buffered event documents.

NAME = 'elastic_shared'

SetDocumentType(document_type)

Sets the document type.

Parameters:document_type (str) – document type.

SetFlushInterval(flush_interval)

Set the flush interval.

Parameters:flush_interval (int) – number of events to buffer before doing a bulk insert.

SetIndexName(index_name)

Set the index name.

Parameters:index_name (str) – name of the index.

SetPassword(password)

Set the password.

Parameters:password (str) – password to authenticate with.

SetServerInformation(server, port)

Set the server information.

Parameters:

• server (str) – IP address or hostname of the server.
• port (int) – Port number of the server.

SetUsername(username)

Sets the username.

Parameters:username (str) – username to authenticate with.

WriteEventBody(event)

Writes an event to the output.

Parameters:event (EventObject) – event.

plaso.output.sqlite_4n6time module

Defines the output module for the SQLite database used by 4n6time.

class plaso.output.sqlite_4n6time.SQLite4n6TimeOutputModule(output_mediator)

Bases: plaso.output.shared_4n6time.Shared4n6TimeOutputModule

Saves the data in a SQLite database, used by the tool 4n6time.

Close()

Disconnects from the database.

This method will create the necessary indices and commit outstanding transactions before disconnecting.

DESCRIPTION = 'Saves the data in a SQLite database, used by the tool 4n6time.'

NAME = '4n6time_sqlite'

Open()

Connects to the database and creates the required tables.

Raises:

• IOError – if the specified output file already exists.
• ValueError – if the filename is not set.

SetFilename(filename)

Sets the filename.

Parameters:filename (str) – the filename.

WriteEventBody(event)

Writes the body of an event to the output.

Parameters:event (EventObject) – event.

plaso.output.timesketch_out module

Timesketch output module.

class plaso.output.timesketch_out.TimesketchOutputModule(output_mediator)

Bases: plaso.output.shared_elastic.SharedElasticsearch5OutputModule

Output module for Timesketch.

Close()

Closes the connection to TimeSketch Elasticsearch database.

Sends the remaining events for indexing and removes the processing status on the Timesketch search index object.

DESCRIPTION = 'Create a Timesketch timeline.'

GetMissingArguments()

Retrieves a list of arguments that are missing from the input.

Returns:

names of arguments that are required by the module and have

not been specified.

Return type:list[str]

NAME = 'timesketch'

SetTimelineName(timeline_name)

Sets the timeline name.

Parameters:timeline_name (str) – timeline name.

SetTimelineOwner(username)

Sets the username of the user that should own the timeline.

Parameters:username (str) – username.

WriteHeader()

Sets up the Elasticsearch index and the Timesketch database object.

Creates the Elasticsearch index with Timesketch specific settings and the Timesketch SearchIndex database object.

plaso.output.tln module

Output module for the TLN format.

For documentation on the TLN format see: http://forensicswiki.org/wiki/TLN

class plaso.output.tln.L2TTLNOutputModule(output_mediator)

Bases: plaso.output.tln.TLNBaseOutputModule

Output module for the log2timeline extended variant of the TLN format.

l2tTLN is an extended variant of TLN introduced log2timeline 0.65.

l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field. Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode.

DESCRIPTION = 'Extended TLN 7 field | delimited output.'

NAME = 'l2ttln'

WriteEventBody(event)

Writes the body of an event object to the output.

Parameters:event (EventObject) – event.

class plaso.output.tln.TLNBaseOutputModule(output_mediator)

Bases: plaso.output.interface.LinearOutputModule

Base class for a TLN output module.

WriteHeader()

Writes the header to the output.

class plaso.output.tln.TLNOutputModule(output_mediator)

Bases: plaso.output.tln.TLNBaseOutputModule

Output module for the TLN format.

TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data.

DESCRIPTION = 'TLN 5 field | delimited output.'

NAME = 'tln'

WriteEventBody(event)

Writes event values to the output.

Parameters:event (EventObject) – event that contains the event values.

plaso.output.xlsx module

Output module for the Excel Spreadsheet (XLSX) output format.

class plaso.output.xlsx.XLSXOutputModule(output_mediator)

Bases: plaso.output.interface.OutputModule

Output module for the Excel Spreadsheet (XLSX) output format.

Close()

Closes the output.

DESCRIPTION = 'Excel Spreadsheet (XLSX) output'

NAME = 'xlsx'

Open()

Creates a new workbook.

Raises:

• IOError – if the specified output file already exists.
• ValueError – if the filename is not set.

SetFields(fields)

Sets the fields to output.

Parameters:fields (list[str]) – names of the fields to output.

SetFilename(filename)

Sets the filename.

Parameters:filename (str) – filename.

SetTimestampFormat(timestamp_format)

Set the timestamp format to use for the datetime column.

Parameters:timestamp_format (str) – format string of date and time values.

WriteEventBody(event)

Writes the body of an event object to the spreadsheet.

Parameters:event (EventObject) – event.

WriteHeader()

Writes the header to the spreadsheet.

Module contents

This file imports Python modules that register output modules.

plaso.parsers package

Subpackages

plaso.parsers.bencode_plugins package

Submodules

plaso.parsers.bencode_plugins.interface module

bencode_interface contains basic interface for bencode plugins within Plaso.

Bencoded files are only one example of a type of object that the Plaso tool is expected to encounter and process. There can be and are many other parsers which are designed to process specific data types.

BencodePlugin defines the attributes necessary for registration, discovery and operation of plugins for bencoded files which will be used by BencodeParser.

class plaso.parsers.bencode_plugins.interface.BencodePlugin

Bases: plaso.parsers.plugins.BasePlugin

This is an abstract class from which plugins should be based.

BENCODE_KEYS = frozenset({'any'})

GetEntries(parser_mediator, data=None, **kwargs)

Extracts event object from the values of entries within a bencoded file.

This is the main method that a bencode plugin needs to implement.

The contents of the bencode keys defined in BENCODE_KEYS can be made available to the plugin as both a matched{‘KEY’: ‘value’} and as the entire bencoded data dictionary. The plugin should implement logic to parse the most relevant data set into a useful event for incorporation into the Plaso timeline.

The attributes for a BencodeEvent should include the following:

root = Root key this event was extracted from. key = Key the value resided in. time = Date this artifact was created in micro seconds (usec) from

January 1, 1970 00:00:00 UTC.

desc = Short description.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• data (Optional[dict[str, object]]) – bencode data values.

NAME = 'bencode'

Process(parser_mediator, data, **kwargs)

Determine if this is the correct plugin; if so proceed with processing.

Process() checks if the current bencode file being processed is a match for a plugin by comparing the PATH and KEY requirements defined by a plugin. If both match processing continues; else raise WrongBencodePlugin.

This function also extracts the required keys as defined in self.BENCODE_KEYS from the file and stores the result in match[key] and calls self.GetEntries() which holds the processing logic implemented by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• data (dict[str, object]) – bencode data values.

Raises:

• WrongBencodePlugin – If this plugin is not able to process the given file.
• ValueError – If top level is not set.

URLS = []

plaso.parsers.bencode_plugins.transmission module

Bencode parser plugin for Transmission BitTorrent files.

class plaso.parsers.bencode_plugins.transmission.TransmissionEventData

Bases: plaso.containers.events.EventData

Transmission BitTorrent event data.

destination

str – downloaded file name within .torrent file

seedtime

int – number of seconds client seeded torrent

DATA_TYPE = 'p2p:bittorrent:transmission'

class plaso.parsers.bencode_plugins.transmission.TransmissionPlugin

Bases: plaso.parsers.bencode_plugins.interface.BencodePlugin

Parse Transmission BitTorrent activity file for current torrents.

BENCODE_KEYS = frozenset({'seeding-time-seconds', 'destination', 'added-date', 'done-date', 'activity-date'})

DESCRIPTION = 'Parser for Transmission bencoded files.'

GetEntries(parser_mediator, data=None, **unused_kwargs)

Extract data from Transmission’s resume folder files.

This is the main parsing engine for the parser. It determines if the selected file is the proper file to parse and extracts current running torrents.

Transmission stores an individual Bencoded file for each active download in a folder named resume under the user’s application data folder.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• data (Optional[dict[str, object]]) – bencode data values.

NAME = 'bencode_transmission'

plaso.parsers.bencode_plugins.utorrent module

Bencode parser plugin for uTorrent files.

class plaso.parsers.bencode_plugins.utorrent.UTorrentEventData

Bases: plaso.containers.events.EventData

uTorrent event data.

caption

str – official name of package

path

str – Torrent download location

seedtime

int – number of seconds client seeded torrent

DATA_TYPE = 'p2p:bittorrent:utorrent'

class plaso.parsers.bencode_plugins.utorrent.UTorrentPlugin

Bases: plaso.parsers.bencode_plugins.interface.BencodePlugin

Plugin to extract uTorrent active torrent events.

BENCODE_KEYS = frozenset({'.fileguard'})

DESCRIPTION = 'Parser for uTorrent bencoded files.'

GetEntries(parser_mediator, data=None, **unused_kwargs)

Extracts uTorrent active torrents.

This is the main parsing engine for the plugin. It determines if the selected file is the proper file to parse and extracts current running torrents.

interface.Process() checks for the given BENCODE_KEYS set, ensures that it matches, and then passes the bencoded data to this function for parsing. This plugin then parses the entire set of bencoded data to extract the variable file-name keys to retrieve their values.

uTorrent creates a file, resume.dat, and a backup, resume.dat.old, to for all active torrents. This is typically stored in the user’s application data folder.

These files, at a minimum, contain a ‘.fileguard’ key and a dictionary with a key name for a particular download with a ‘.torrent’ file extension.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• data (Optional[dict[str, object]]) – bencode data values.

NAME = 'bencode_utorrent'

Module contents

Imports for the bencode parser.

plaso.parsers.cookie_plugins package

Submodules

plaso.parsers.cookie_plugins.ganalytics module

This file contains a plugin for parsing Google Analytics cookies.

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData(cookie_identifier)

Bases: plaso.containers.events.EventData

Google Analytics event data.

cookie_name

str – name of cookie.

domain_hash

str – domain hash.

pages_viewed

int – number of pages viewed.

sessions

int – number of sessions.

sources

int – number of sources.

url

str – URL or path where the cookie got set.

visitor_id

str – visitor identifier.

DATA_TYPE = 'cookie:google:analytics'

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPlugin

Bases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

A browser cookie plugin for __utma Google Analytics cookies.

The structure of the cookie data: <domain hash>.<visitor ID>.<first visit>.<previous visit>.<last visit>. <number of sessions>

For example: 137167072.1215918423.1383170166.1383170166.1383170166.1

Or: <last visit>

For example: 13113225820000000

COOKIE_NAME = '__utma'

DESCRIPTION = 'Google Analytics utma cookie parser'

GetEntries(parser_mediator, cookie_data=None, url=None, **kwargs)

Extracts event objects from the cookie.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• cookie_data (str) – cookie data.
• url (str) – URL or path where the cookie got set.

NAME = 'google_analytics_utma'

URLS = ['http://www.dfinews.com/articles/2012/02/google-analytics-cookies-and-forensic-implications']

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPlugin

Bases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

A browser cookie plugin for __utmb Google Analytics cookies.

The structure of the cookie data: <domain hash>.<pages viewed>.<unknown>.<last time>

For example: 137167072.1.10.1383170166 173272373.6.8.1440489514899 173272373.4.9.1373300660574

Or: <last time>

For example: 13113225820000000

COOKIE_NAME = '__utmb'

DESCRIPTION = 'Google Analytics utmb cookie parser'

GetEntries(parser_mediator, cookie_data=None, url=None, **kwargs)

Extracts event objects from the cookie.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• cookie_data (bytes) – cookie data.
• url (str) – URL or path where the cookie got set.

NAME = 'google_analytics_utmb'

URLS = ['http://www.dfinews.com/articles/2012/02/google-analytics-cookies-and-forensic-implications']

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPlugin

Bases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

A browser cookie plugin for __utmt Google Analytics cookies.

The structure of the cookie data: <last time>

For example: 13113215173000000

COOKIE_NAME = '__utmt'

DESCRIPTION = 'Google Analytics utmt cookie parser'

GetEntries(parser_mediator, cookie_data=None, url=None, **kwargs)

Extracts event objects from the cookie.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• cookie_data (bytes) – cookie data.
• url (str) – URL or path where the cookie got set.

NAME = 'google_analytics_utmt'

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPlugin

Bases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

A browser cookie plugin for __utmz Google Analytics cookies.

The structure of the cookie data: <domain hash>.<last time>.<sessions>.<sources>.<variables>

For example: 207318870.1383170190.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic| utmctr=(not%20provided)

Or: <last time>

For example: 13128990382000000

COOKIE_NAME = '__utmz'

DESCRIPTION = 'Google Analytics utmz cookie parser'

GetEntries(parser_mediator, cookie_data=None, url=None, **kwargs)

Extracts event objects from the cookie.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• cookie_data (str) – cookie data.
• url (str) – URL or path where the cookie got set.

NAME = 'google_analytics_utmz'

URLS = ['http://www.dfinews.com/articles/2012/02/google-analytics-cookies-and-forensic-implications']

plaso.parsers.cookie_plugins.interface module

This file contains an interface for browser cookie plugins.

class plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

Bases: plaso.parsers.plugins.BasePlugin

A browser cookie plugin for Plaso.

This is a generic cookie parsing interface that can handle parsing cookies from all browsers.

COOKIE_NAME = ''

DESCRIPTION = ''

GetEntries(parser_mediator, cookie_data=None, url=None, **kwargs)

Extract and return EventObjects from the data structure.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• cookie_data (Optional[bytes]) – cookie data, as a byte sequence.
• url (Optional[str]) – URL or path where the cookie was set.

NAME = 'cookie'

Process(parser_mediator, cookie_name, cookie_data, url, **kwargs)

Determine if this is the right plugin for this cookie.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• cookie_name (str) – the name of the cookie value.
• cookie_data (bytes) – the cookie data, as a byte sequence.
• url (str) – the full URL or path where the cookie was set.

Raises:

• errors.WrongPlugin – If the cookie name differs from the one supplied in COOKIE_NAME.
• ValueError – If cookie_name or cookie_data are not set.

plaso.parsers.cookie_plugins.manager module

The cookie plugins manager object.

class plaso.parsers.cookie_plugins.manager.CookiePluginsManager

Bases: object

Class that implements the cookie plugins manager.

classmethod DeregisterPlugin(plugin_class)

Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters:plugin_class (type) – the class object of the plugin. Raises:KeyError – if plugin class is not set for the corresponding name.

classmethod GetPlugins()

Retrieves the cookie plugins.

Returns:list of all cookie plugin objects. Return type:list[type]

classmethod RegisterPlugin(plugin_class)

Registers a plugin class.

The plugin classes are identified based on their lower case name.

Parameters:plugin_class (type) – the class object of the plugin. Raises:KeyError – if plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)

Registers plugin classes.

The plugin classes are identified based on their lower case name.

Parameters:plugin_classes (list[type]) – a list of class objects of the plugins. Raises:KeyError – if plugin class is already set for the corresponding name.

Module contents

Imports for the cookies parser.

plaso.parsers.esedb_plugins package

Submodules

plaso.parsers.esedb_plugins.file_history module

Parser for the Microsoft File History ESE database.

class plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPlugin

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a File History ESE database file.

DESCRIPTION = 'Parser for File History ESE database files.'

NAME = 'file_history'

ParseNameSpace(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)

Parses the namespace table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• cache (Optional[ESEDBCache]) – cache.
• database (Optional[pyesedb.file]) – ESE database.
• table (Optional[pyesedb.table]) – table.

Raises:

ValueError – if the database or table value is missing.

REQUIRED_TABLES = {'backupset': '', 'file': '', 'library': '', 'namespace': 'ParseNameSpace'}

class plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData

Bases: plaso.containers.events.EventData

File history namespace table event data.

file_attribute

int – file attribute.

identifier

str – identifier.

original_filename

str – original file name.

parent_identifier

str – parent identifier.

usn_number

int – USN number.

DATA_TYPE = 'file_history:namespace:event'

plaso.parsers.esedb_plugins.interface module

This file contains the interface for ESE database plugins.

class plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Bases: plaso.parsers.plugins.BasePlugin

The ESE database plugin interface.

BINARY_DATA_COLUMN_TYPES = frozenset({<Mock id='140103210288184'>, <Mock id='140103210288352'>})

FLOATING_POINT_COLUMN_TYPES = frozenset({<Mock id='140103210288520'>, <Mock id='140103210288688'>})

GetEntries(parser_mediator, cache=None, database=None, **kwargs)

Extracts event objects from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• cache (Optional[ESEDBCache]) – cache.
• database (Optional[pyesedb.file]) – ESE database.

Raises:

ValueError – If the database attribute is not valid.

INTEGER_COLUMN_TYPES = frozenset({<Mock id='140103210289192'>, <Mock id='140103210289696'>, <Mock id='140103210289864'>, <Mock id='140103210288856'>, <Mock id='140103210289360'>, <Mock id='140103210289528'>, <Mock id='140103210289024'>, <Mock id='140103210290032'>})

NAME = 'esedb'

OPTIONAL_TABLES = {}

Process(parser_mediator, cache=None, database=None, **kwargs)

Determines if this is the appropriate plugin for the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• cache (Optional[ESEDBCache]) – cache.
• database (Optional[pyesedb.file]) – ESE database.

Raises:

ValueError – If the database attribute is not valid.

REQUIRED_TABLES = {}

STRING_COLUMN_TYPES = frozenset({<Mock id='140103210290200'>, <Mock id='140103210290368'>})

required_tables

set[str] – required table names.

plaso.parsers.esedb_plugins.msie_webcache module

Parser for the Microsoft Internet Explorer WebCache ESE database.

The WebCache database (WebCacheV01.dat or WebCacheV24.dat) are used by MSIE as of version 10.

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData

Bases: plaso.containers.events.EventData

MSIE WebCache Container table event data.

access_count

int – access count.

cached_filename

str – name of the cached file.

cached_file_size

int – size of the cached file.

cache_identifier

int – cache identifier.

container_identifier

int – container identifier.

entry_identifier

int – entry identifier.

file_extension

str – file extension.

redirect_url

str – URL from which the request was redirected.

request_headers

str – request headers.

response_headers

str – response headers.

sync_count

int – sync count.

url

str – URL.

DATA_TYPE = 'msie:webcache:container'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventData

Bases: plaso.containers.events.EventData

MSIE WebCache Containers table event data.

container_identifier

int – container identifier.

directory

str – name of the cache directory.

name

str – name of the cache container.

set_identifier

int – set identifier.

DATA_TYPE = 'msie:webcache:containers'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a MSIE WebCache ESE database file.

DESCRIPTION = 'Parser for MSIE WebCache ESE database files.'

NAME = 'msie_webcache'

ParseContainersTable(parser_mediator, database=None, table=None, **unused_kwargs)

Parses the Containers table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• database (Optional[pyesedb.file]) – ESE database.
• table (Optional[pyesedb.table]) – table.

Raises:

ValueError – if the database or table value is missing.

ParseLeakFilesTable(parser_mediator, database=None, table=None, **unused_kwargs)

Parses the LeakFiles table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• database (Optional[pyesedb.file]) – ESE database.
• table (Optional[pyesedb.table]) – table.

Raises:

ValueError – if the database or table value is missing.

ParsePartitionsTable(parser_mediator, database=None, table=None, **unused_kwargs)

Parses the Partitions table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• database (Optional[pyesedb.file]) – ESE database.
• table (Optional[pyesedb.table]) – table.

Raises:

ValueError – if the database or table value is missing.

REQUIRED_TABLES = {'Containers': 'ParseContainersTable', 'LeakFiles': 'ParseLeakFilesTable', 'Partitions': 'ParsePartitionsTable'}

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventData

Bases: plaso.containers.events.EventData

MSIE WebCache LeakFiles event data.

cached_filename

str – name of the cached file.

leak_identifier

int – leak identifier.

DATA_TYPE = 'msie:webcache:leak_file'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData

Bases: plaso.containers.events.EventData

MSIE WebCache Partitions table event data.

directory

str – directory.

partition_identifier

int – partition identifier.

partition_type

int – partition type.

table_identifier

int – table identifier.

DATA_TYPE = 'msie:webcache:partitions'

plaso.parsers.esedb_plugins.srum module

Parser for the System Resource Usage Monitor (SRUM) ESE database.

For more information about the database format see: https://github.com/libyal/esedb-kb/blob/master/documentation/

System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc

class plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData

Bases: plaso.containers.events.EventData

SRUM application resource usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application

str – application.

background_bytes_read

int – background number of bytes read.

background_bytes_written

int – background number of bytes written.

background_context_switches

int – number of background context switches.

background_cycle_time

int – background cycle time.

background_number_for_flushes

int – background number of flushes.

background_number_for_read_operations

int – background number of read operations.

background_number_for_write_operations

int – background number of write operations.

face_time

int – face time.

foreground_bytes_read

int – foreground number of bytes read.

foreground_bytes_written

int – foreground number of bytes written.

foreground_context_switches

int – number of foreground context switches.

foreground_cycle_time

int – foreground cycle time.

foreground_number_for_flushes

int – foreground number of flushes.

foreground_number_for_read_operations

int – foreground number of read operations.

foreground_number_for_write_operations

int – foreground number of write operations.

identifier

int – record identifier.

user_identifier

str – user identifier, which is a Windows NT security identifier.

DATA_TYPE = 'windows:srum:application_usage'

class plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventData

Bases: plaso.containers.events.EventData

SRUM network connectivity usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application

str – application.

identifier

int – record identifier.

interface_luid

int – interface locally unique identifier (LUID).

l2_profile_flags

int – L2 profile flags.

l2_profile_identifier

int – L2 profile identifier.

user_identifier

str – user identifier, which is a Windows NT security identifier.

DATA_TYPE = 'windows:srum:network_connectivity'

class plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData

Bases: plaso.containers.events.EventData

SRUM network data usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application

str – application.

bytes_received

int – number of bytes received.

bytes_sent

int – number of bytes sent.

identifier

int – record identifier.

interface_luid

int – interface locally unique identifier (LUID).

l2_profile_flags

int – L2 profile flags.

l2_profile_identifier

int – L2 profile identifier.

user_identifier

str – user identifier, which is a Windows NT security identifier.

DATA_TYPE = 'windows:srum:network_usage'

class plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a System Resource Usage Monitor (SRUM) ESE database file.

DESCRIPTION = 'Parser for System Resource Usage Monitor (SRUM) ESE database files.'

NAME = 'srum'

OPTIONAL_TABLES = {'{973F5D5C-1D90-4944-BE8E-24B94231A174}': 'ParseNetworkDataUsage', '{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}': 'ParseApplicationResourceUsage', '{DD6636C4-8929-4683-974E-22C046A43763}': 'ParseNetworkConnectivityUsage'}

ParseApplicationResourceUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)

Parses the application resource usage table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
• database (Optional[pyesedb.file]) – ESE database.
• table (Optional[pyesedb.table]) – table.

ParseNetworkConnectivityUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)

Parses the network connectivity usage monitor table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
• database (Optional[pyesedb.file]) – ESE database.
• table (Optional[pyesedb.table]) – table.

ParseNetworkDataUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)

Parses the network data usage monitor table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
• database (Optional[pyesedb.file]) – ESE database.
• table (Optional[pyesedb.table]) – table.

REQUIRED_TABLES = {'SruDbIdMapTable': ''}

Module contents

Imports for the ESE database parser.

plaso.parsers.olecf_plugins package

Submodules

plaso.parsers.olecf_plugins.automatic_destinations module

Plugin to parse .automaticDestinations-ms OLECF files.

class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData

Bases: plaso.containers.events.EventData

.automaticDestinations-ms DestList entry event data.

birth_droid_file_identifier

str – birth droid file identifier.

birth_droid_volume_identifier

str – birth droid volume identifier.

droid_file_identifier

str – droid file identifier.

droid_volume_identifier

str – droid volume identifier.

entry_number

int – DestList entry number.

path

str – path.

pin_status

int – pin status.

offset

int – offset of the DestList entry relative to the start of the DestList stream.

DATA_TYPE = 'olecf:dest_list:entry'

class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin

Bases: plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPlugin

Plugin that parses an .automaticDestinations-ms OLECF file.

DESCRIPTION = 'Parser for *.automaticDestinations-ms OLECF files.'

NAME = 'olecf_automatic_destinations'

ParseDestList(parser_mediator, olecf_item)

Parses the DestList OLECF item.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• olecf_item (pyolecf.item) – OLECF item.

Raises:

UnableToParseFile – if the DestList cannot be parsed.

Process(parser_mediator, root_item=None, **kwargs)

Parses an OLECF file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises:

ValueError – If the root_item is not set.

REQUIRED_ITEMS = frozenset({'DestList'})

plaso.parsers.olecf_plugins.default module

The default plugin for parsing OLE Compound Files (OLECF).

class plaso.parsers.olecf_plugins.default.DefaultOLECFPlugin

Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Class to define the default OLECF file plugin.

DESCRIPTION = 'Parser for a generic OLECF item.'

NAME = 'olecf_default'

Process(parser_mediator, root_item=None, **kwargs)

Parses an OLECF file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises:

ValueError – If the root item is not set.

class plaso.parsers.olecf_plugins.default.OLECFItemEventData

Bases: plaso.containers.events.EventData

OLECF item event data.

name

str – name of the OLE Compound File item.

size

int – data size of the OLE Compound File item.

DATA_TYPE = 'olecf:item'

plaso.parsers.olecf_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format OLE CF plugins.

class plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPlugin

Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Shared functionality for dtFabric-based data format OLE CF plugins.

A dtFabric-based data format Windows Registry parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

• name: y data_type: int32
• name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

Process(parser_mediator, root_item=None, **kwargs)

Parses an OLECF file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• root_item (Optional[pyolecf.item]) – root item of the OLECF file.

plaso.parsers.olecf_plugins.interface module

This file contains the necessary interface for OLECF plugins.

class plaso.parsers.olecf_plugins.interface.OLECFPlugin

Bases: plaso.parsers.plugins.BasePlugin

The OLECF parser plugin interface.

NAME = 'olecf'

Process(parser_mediator, root_item=None, **kwargs)

Parses an OLECF file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• root_item (Optional[pyolecf.item]) – root item of the OLECF file.

REQUIRED_ITEMS = frozenset()

plaso.parsers.olecf_plugins.summary module

Plugin to parse the OLECF summary/document summary information items.

class plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPlugin

Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Plugin that parses DocumentSummaryInformation item from an OLECF file.

DESCRIPTION = 'Parser for a DocumentSummaryInformation OLECF stream.'

NAME = 'olecf_document_summary'

Process(parser_mediator, root_item=None, **kwargs)

Parses a document summary information OLECF item.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises:

ValueError – If the root item is not set.

REQUIRED_ITEMS = frozenset({'\x05DocumentSummaryInformation'})

class plaso.parsers.olecf_plugins.summary.OLECFDocumentSummaryInformation(olecf_item)

Bases: plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream

OLECF Document Summary information property set.

class plaso.parsers.olecf_plugins.summary.OLECFDocumentSummaryInformationEvent(date_time, date_time_description)

Bases: plaso.containers.time_events.DateTimeValuesEvent

Convenience class for an OLECF Document summary information event.

name

str – name of the OLECF item.

DATA_TYPE = 'olecf:document_summary_info'

class plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream(olecf_item)

Bases: object

OLECF property set stream.

date_time_properties

dict[str, dfdatetime.DateTimeValues] – date and time properties and values.

GetEventData(data_type)

Retrieves the properties as event data.

Parameters:data_type (str) – event data type. Returns:event data. Return type:EventData

class plaso.parsers.olecf_plugins.summary.OLECFSummaryInformation(olecf_item)

Bases: plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream

OLECF Summary information property set.

class plaso.parsers.olecf_plugins.summary.OLECFSummaryInformationEvent(date_time, date_time_description)

Bases: plaso.containers.time_events.DateTimeValuesEvent

Convenience class for an OLECF Summary information event.

name

str – name of the OLECF item.

DATA_TYPE = 'olecf:summary_info'

class plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPlugin

Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Plugin that parses the SummaryInformation item from an OLECF file.

DESCRIPTION = 'Parser for a SummaryInformation OLECF stream.'

NAME = 'olecf_summary'

Process(parser_mediator, root_item=None, **kwargs)

Parses a summary information OLECF item.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises:

ValueError – If the root item is not set.

REQUIRED_ITEMS = frozenset({'\x05SummaryInformation'})

Module contents

This file contains an import statement for each OLECF plugin.

plaso.parsers.plist_plugins package

Submodules

plaso.parsers.plist_plugins.airport module

Airport plist plugin.

class plaso.parsers.plist_plugins.airport.AirportPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist plugin that extracts WiFi information.

DESCRIPTION = 'Parser for Airport plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts relevant Airport entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'airport'

PLIST_KEYS = frozenset({'RememberedNetworks'})

PLIST_PATH = 'com.apple.airport.preferences.plist'

plaso.parsers.plist_plugins.appleaccount module

Apple Account plist plugin.

class plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract the apple account information.

Further details about fields within the key:

Accounts: account name. FirstName: first name associated with the account. LastName: family name associate with the account. CreationDate: timestamp when the account was configured in the system. LastSuccessfulConnect: last time when the account was connected. ValidationDate: last time when the account was validated.

DESCRIPTION = 'Parser for Apple account information plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts relevant Apple Account entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'apple_id'

PLIST_KEYS = frozenset({'Accounts', 'AuthCertificates', 'AccessorVersions'})

PLIST_PATH = 'com.apple.coreservices.appleidauthenticationinfo'

Process(parser_mediator, plist_name, top_level, **kwargs)

Check if it is a valid Apple account plist file name.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• plist_name (str) – name of the plist.
• top_level (dict[str, object]) – plist top-level key.

plaso.parsers.plist_plugins.bluetooth module

Bluetooth plist plugin.

class plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract interesting Bluetooth related keys.

Additional details about the fields.

LastInquiryUpdate:

Device connected via Bluetooth Discovery. Updated when a device is detected in discovery mode. E.g. BT headphone power on. Pairing is not required for a device to be discovered and cached.

LastNameUpdate:

When the human name was last set. Usually done only once during initial setup.

LastServicesUpdate:

Time set when device was polled to determine what it is. Usually done at setup or manually requested via advanced menu.

DESCRIPTION = 'Parser for Bluetooth plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts relevant BT entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'macosx_bluetooth'

PLIST_KEYS = frozenset({'PairedDevices', 'DeviceCache'})

PLIST_PATH = 'com.apple.bluetooth.plist'

plaso.parsers.plist_plugins.default module

This file contains a default plist plugin in Plaso.

class plaso.parsers.plist_plugins.default.DefaultPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract keys with timestamps as values from plists.

DESCRIPTION = 'Parser for plist files.'

GetEntries(parser_mediator, top_level=None, **unused_kwargs)

Simple method to exact date values from a Plist.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• top_level (dict[str, object]) – plist top-level key.

NAME = 'plist_default'

Process(parser_mediator, plist_name, top_level, **kwargs)

Overwrite the default Process function so it always triggers.

Process() checks if the current plist being processed is a match for a plugin by comparing the PATH and KEY requirements defined by a plugin. If both match processing continues; else raise WrongPlistPlugin.

The purpose of the default plugin is to always trigger on any given plist file, thus it needs to overwrite the default behavior of comparing PATH and KEY.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• plist_name (str) – name of the plist.
• top_level (dict[str, object]) – plist top-level key.

plaso.parsers.plist_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format Registry plugins.

class plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Shared functionality for dtFabric-based data format Registry plugins.

A dtFabric-based data format plist parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

• name: y data_type: int32
• name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

GetEntries(parser_mediator, top_level=None, match=None, **unused_kwargs)

Extracts event objects from the values of entries within a plist.

This is the main method that a plist plugin needs to implement.

The contents of the plist keys defined in PLIST_KEYS will be made available to the plugin as self.matched{‘KEY’: ‘value’}. The plugin should implement logic to parse this into a useful event for incorporation into the Plaso timeline.

For example if you want to note the timestamps of when devices were LastInquiryUpdated you would need to examine the bluetooth config file called ‘com.apple.bluetooth’ and need to look at devices under the key ‘DeviceCache’. To do this the plugin needs to define PLIST_PATH = ‘com.apple.bluetooth’ and PLIST_KEYS = frozenset([‘DeviceCache’]). IMPORTANT: this interface requires exact names and is case sensitive. A unit test based on a real world file is expected for each plist plugin.

When a file with this key is encountered during processing self.matched is populated and the plugin’s GetEntries() is called. The plugin would have self.matched = {‘DeviceCache’: [{‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}, ‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}’…}]} and needs to implement logic here to extract values, format, and produce the data as a event.PlistEvent.

The attributes for a PlistEvent should include the following:

root = Root key this event was extracted from. E.g. DeviceCache/ key = Key the value resided in. E.g. ‘DE:AD:BE:EF:01’ time = Date this artifact was created in number of micro seconds

(usec) since January 1, 1970, 00:00:00 UTC.

desc = Short description. E.g. ‘Device LastInquiryUpdated’

See plist/bluetooth.py for the implemented example plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• top_level (Optional[dict[str, object]]) – plist top-level key.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

plaso.parsers.plist_plugins.install_history module

Install history plist plugin.

class plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist plugin that extracts the installation history.

DESCRIPTION = 'Parser for installation history plist files.'

GetEntries(parser_mediator, top_level=None, **unused_kwargs)

Extracts relevant install history entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• top_level (dict[str, object]) – plist top-level key.

NAME = 'macosx_install_history'

PLIST_KEYS = frozenset({'displayName', 'displayVersion', 'processName', 'packageIdentifiers', 'date'})

PLIST_PATH = 'InstallHistory.plist'

plaso.parsers.plist_plugins.interface module

Plist_interface contains basic interface for plist plugins within Plaso.

Plist files are only one example of a type of object that the Plaso tool is expected to encounter and process. There can be and are many other parsers which are designed to process specific data types.

PlistPlugin defines the attributes necessary for registration, discovery and operation of plugins for plist files which will be used by PlistParser.

class plaso.parsers.plist_plugins.interface.PlistPlugin

Bases: plaso.parsers.plugins.BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a plugin.

Attributes: PLIST_PATH - string of the filename the plugin is designed to process. PLIST_KEY - list of keys holding values that are necessary for processing.

Please note, PLIST_KEY is cAse sensitive and for a plugin to match a plist file needs to contain at minimum the number of keys needed for processing or WrongPlistPlugin is raised.

For example if a Plist file contains the following keys, {‘foo’: 1, ‘bar’: 2, ‘opt’: 3} with ‘foo’ and ‘bar’ being keys critical to processing define PLIST_KEY as [‘foo’, ‘bar’]. If ‘opt’ is only optionally defined it can still be accessed by manually processing self.top_level from the plugin.

Methods: GetEntries() - extract and format info from keys and yields event.PlistEvent.

GetEntries(parser_mediator, top_level=None, match=None, **unused_kwargs)

Extracts event objects from the values of entries within a plist.

This is the main method that a plist plugin needs to implement.

The contents of the plist keys defined in PLIST_KEYS will be made available to the plugin as self.matched{‘KEY’: ‘value’}. The plugin should implement logic to parse this into a useful event for incorporation into the Plaso timeline.

For example if you want to note the timestamps of when devices were LastInquiryUpdated you would need to examine the bluetooth config file called ‘com.apple.bluetooth’ and need to look at devices under the key ‘DeviceCache’. To do this the plugin needs to define PLIST_PATH = ‘com.apple.bluetooth’ and PLIST_KEYS = frozenset([‘DeviceCache’]). IMPORTANT: this interface requires exact names and is case sensitive. A unit test based on a real world file is expected for each plist plugin.

When a file with this key is encountered during processing self.matched is populated and the plugin’s GetEntries() is called. The plugin would have self.matched = {‘DeviceCache’: [{‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}, ‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}’…}]} and needs to implement logic here to extract values, format, and produce the data as a event.PlistEvent.

The attributes for a PlistEvent should include the following:

root = Root key this event was extracted from. E.g. DeviceCache/ key = Key the value resided in. E.g. ‘DE:AD:BE:EF:01’ time = Date this artifact was created in number of micro seconds

(usec) since January 1, 1970, 00:00:00 UTC.

desc = Short description. E.g. ‘Device LastInquiryUpdated’

See plist/bluetooth.py for the implemented example plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• top_level (Optional[dict[str, object]]) – plist top-level key.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'plist_plugin'

PLIST_KEYS = frozenset({'any'})

PLIST_PATH = 'any'

Process(parser_mediator, plist_name, top_level, **kwargs)

Determine if this is the correct plugin; if so proceed with processing.

Process() checks if the current plist being processed is a match for a plugin by comparing the PATH and KEY requirements defined by a plugin. If both match processing continues; else raise WrongPlistPlugin.

This function also extracts the required keys as defined in self.PLIST_KEYS from the plist and stores the result in self.match[key] and calls self.GetEntries() which holds the processing logic implemented by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• plist_name (str) – name of the plist.
• top_level (dict[str, object]) – plist top-level key.

Raises:

• WrongPlistPlugin – If this plugin is not able to process the given file.
• ValueError – If top_level or plist_name are not set.

URLS = []

plaso.parsers.plist_plugins.interface.RecurseKey(recur_item, depth=15, key_path='')

Flattens nested dictionaries and lists by yielding it’s values.

The hierarchy of a plist file is a series of nested dictionaries and lists. This is a helper function helps plugins navigate the structure without having to reimplement their own recursive methods.

This method implements an overridable depth limit to prevent processing extremely deeply nested plists. If the limit is reached a debug message is logged indicating which key processing stopped on.

Example Input Plist:

recur_item = { DeviceRoot: { DeviceMAC1: [Value1, Value2, Value3],

DeviceMAC2: [Value1, Value2, Value3]}}

Example Output:

(‘’, DeviceRoot, {DeviceMACs…}) (DeviceRoot, DeviceMAC1, [Value1, Value2, Value3]) (DeviceRoot, DeviceMAC2, [Value1, Value2, Value3])

Parameters:

• recur_item – An object to be checked for additional nested items.
• depth – Optional integer indication the current recursion depth. This value is used to ensure we stop at the maximum recursion depth.
• key_path – Optional path of the current working key.

Yields:

A tuple of the key path, key, and value from a plist.

plaso.parsers.plist_plugins.ipod module

This file contains a plist plugin for the iPod/iPhone storage plist.

class plaso.parsers.plist_plugins.ipod.IPodPlistEventData

Bases: plaso.containers.events.EventData

iPod plist event data.

device_id

str – unique identifier of the iPod device.

DATA_TYPE = 'ipod:device:entry'

class plaso.parsers.plist_plugins.ipod.IPodPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plugin to extract iPod/iPad/iPhone device information.

DESCRIPTION = 'Parser for iPod, iPad and iPhone plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extract device information from the iPod plist.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'ipod_device'

PLIST_KEYS = frozenset({'Devices'})

PLIST_PATH = 'com.apple.iPod.plist'

plaso.parsers.plist_plugins.macuser module

This file contains the MacOS user plist plugin.

class plaso.parsers.plist_plugins.macuser.MacUserPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract timestamp Mac user information.

Further details about the extracted fields.

name:

string with the system user.

uid:

user ID.

passwordpolicyoptions:

XML Plist structures with the timestamp.

passwordLastSetTime:

last time the password was changed.

lastLoginTimestamp:

last time the user was authenticated depending on the situation, these timestamps are reset (0 value). It is translated by the library as a 2001-01-01 00:00:00 (COCAO zero time representation). If this happens, the event is not yield.

failedLoginTimestamp:

last time the user passwd was incorrectly(*).

failedLoginCount:

times of incorrect passwords.

DESCRIPTION = 'Parser for MacOS user plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts relevant user timestamp entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'macuser'

PLIST_KEYS = frozenset({'passwordpolicyoptions', 'ShadowHashData', 'uid', 'name', 'home'})

Process(parser_mediator, plist_name, top_level, **kwargs)

Check if it is a valid MacOS system account plist file name.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• plist_name (str) – name of the plist.
• top_level (dict[str, object]) – plist top-level key.

plaso.parsers.plist_plugins.safari module

This file contains a default plist plugin in Plaso.

class plaso.parsers.plist_plugins.safari.SafariHistoryEventData

Bases: plaso.containers.events.EventData

Safari history event data.

display_title

str – display title of the webpage visited.

title

str – title of the webpage visited.

url

str – URL visited.

visit_count

int – number of times the website was visited.

was_http_non_get

bool – True if the webpage was visited using a non-GET HTTP request.

DATA_TYPE = 'safari:history:visit'

class plaso.parsers.plist_plugins.safari.SafariHistoryPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plugin to extract Safari history timestamps.

DESCRIPTION = 'Parser for Safari history plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts Safari history items.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'safari_history'

PLIST_KEYS = frozenset({'WebHistoryFileVersion', 'WebHistoryDates'})

PLIST_PATH = 'History.plist'

plaso.parsers.plist_plugins.softwareupdate module

Software update plist plugin.

class plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract the MacOS update status.

Further details about the extracted fields:

LastFullSuccessfulDate:

timestamp when MacOS was full update.

LastSuccessfulDate:

timestamp when MacOS was partially update.

DESCRIPTION = 'Parser for MacOS software update plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts relevant MacOS update entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'maxos_software_update'

PLIST_KEYS = frozenset({'RecommendedUpdates', 'LastAttemptSystemVersion', 'LastUpdatesAvailable', 'LastFullSuccessfulDate', 'LastSuccessfulDate', 'LastRecommendedUpdatesAvailable'})

PLIST_PATH = 'com.apple.SoftwareUpdate.plist'

plaso.parsers.plist_plugins.spotlight module

Spotlight searched terms plist plugin.

class plaso.parsers.plist_plugins.spotlight.SpotlightPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract information from Spotlight plist file.

Further information about extracted fields:

name of the item:

search term.

PATH:

path of the program associated to the term.

LAST_USED:

last time when it was executed.

DISPLAY_NAME:

the display name of the program associated.

DESCRIPTION = 'Parser for Spotlight plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts relevant Spotlight entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'spotlight'

PLIST_KEYS = frozenset({'UserShortcuts'})

PLIST_PATH = 'com.apple.spotlight.plist'

plaso.parsers.plist_plugins.spotlight_volume module

Spotlight Volume Configuration plist plugin.

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract the Spotlight Volume Configuration.

DESCRIPTION = 'Parser for Spotlight volume configuration plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts relevant Volume Configuration Spotlight entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'spotlight_volume'

PLIST_KEYS = frozenset({'Stores'})

PLIST_PATH = 'VolumeConfiguration.plist'

plaso.parsers.plist_plugins.timemachine module

TimeMachine plist plugin.

class plaso.parsers.plist_plugins.timemachine.TimeMachinePlugin

Bases: plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPlugin

Basic plugin to extract time machine hard disk and the backups.

Further details about the extracted fields:

DestinationID:

remote UUID hard disk where the backup is done.

BackupAlias:

structure that contains the extra information from the destinationID.

SnapshotDates:

list of the backup dates.

DESCRIPTION = 'Parser for TimeMachine plist files.'

GetEntries(parser_mediator, match=None, **unused_kwargs)

Extracts relevant TimeMachine entries.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'time_machine'

PLIST_KEYS = frozenset({'RootVolumeUUID', 'Destinations'})

PLIST_PATH = 'com.apple.TimeMachine.plist'

Module contents

Imports for the plist parser.

plaso.parsers.shared package

Submodules

plaso.parsers.shared.shell_items module

Parser for Windows NT shell items.

class plaso.parsers.shared.shell_items.ShellItemsParser(origin)

Bases: object

Parses for Windows NT shell items.

CopyToPath()

Copies the shell items to a path.

Returns:converted shell item list path or None. Return type:str

GetUpperPathSegment()

Retrieves the upper shell item path segment.

Returns:shell item path segment or “N/A”. Return type:str

NAME = 'shell_items'

ParseByteStream(parser_mediator, byte_stream, parent_path_segments=None, codepage='cp1252')

Parses the shell items from the byte stream.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• byte_stream (bytes) – shell items data.
• parent_path_segments (Optional[list[str]]) – parent shell item path segments.
• codepage (Optional[str]) – byte stream codepage.

Module contents

plaso.parsers.sqlite_plugins package

Submodules

plaso.parsers.sqlite_plugins.android_calls module

This file contains a parser for the Android contacts2 Call History.

Android Call History is stored in SQLite database files named contacts2.db.

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData

Bases: plaso.containers.events.EventData

Android Call event data.

call_type

str – type of call, such as: Incoming, Outgoing, or Missed.

duration

int – number of seconds the call lasted.

name

str – name associated to the remote party.

number

str – phone number associated to the remote party.

DATA_TYPE = 'android:event:call'

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse Android contacts2 database.

CALL_TYPE = {1: 'INCOMING', 2: 'OUTGOING', 3: 'MISSED'}

DESCRIPTION = 'Parser for Android calls SQLite database files.'

NAME = 'android_calls'

ParseCallsRow(parser_mediator, query, row, **unused_kwargs)

Parses a Call record row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, date, number, name, duration, type FROM calls', 'ParseCallsRow')]

REQUIRED_TABLES = frozenset({'calls'})

SCHEMAS = [{'deleted_contacts': 'CREATE TABLE deleted_contacts (contact_id INTEGER PRIMARY KEY, contact_deleted_timestamp INTEGER NOT NULL default 0)', 'name_lookup': 'CREATE TABLE name_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_name TEXT NOT NULL, name_type INTEGER NOT NULL, PRIMARY KEY (data_id, normalized_name, name_type))', '_sync_state_metadata': 'CREATE TABLE _sync_state_metadata (version INTEGER)', 'calls': 'CREATE TABLE calls (_id INTEGER PRIMARY KEY AUTOINCREMENT, number TEXT, date INTEGER, duration INTEGER, type INTEGER, new INTEGER, name TEXT, numbertype INTEGER, numberlabel TEXT, countryiso TEXT, voicemail_uri TEXT, is_read INTEGER, geocoded_location TEXT, lookup_uri TEXT, matched_number TEXT, normalized_number TEXT, photo_id INTEGER NOT NULL DEFAULT 0, formatted_number TEXT, _data TEXT, has_content INTEGER, mime_type TEXT, source_data TEXT, source_package TEXT, state INTEGER)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL)', 'properties': 'CREATE TABLE properties (property_key TEXT PRIMARY KEY, property_value TEXT )', 'data': 'CREATE TABLE data (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), mimetype_id INTEGER REFERENCES mimetype(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, is_read_only INTEGER NOT NULL DEFAULT 0, is_primary INTEGER NOT NULL DEFAULT 0, is_super_primary INTEGER NOT NULL DEFAULT 0, data_version INTEGER NOT NULL DEFAULT 0, data1 TEXT, data2 TEXT, data3 TEXT, data4 TEXT, data5 TEXT, data6 TEXT, data7 TEXT, data8 TEXT, data9 TEXT, data10 TEXT, data11 TEXT, data12 TEXT, data13 TEXT, data14 TEXT, data15 TEXT, data_sync1 TEXT, data_sync2 TEXT, data_sync3 TEXT, data_sync4 TEXT )', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', '_sync_state': 'CREATE TABLE _sync_state (_id INTEGER PRIMARY KEY, account_name TEXT NOT NULL, account_type TEXT NOT NULL, data TEXT, UNIQUE(account_name, account_type))', 'photo_files': 'CREATE TABLE photo_files (_id INTEGER PRIMARY KEY AUTOINCREMENT, height INTEGER NOT NULL, width INTEGER NOT NULL, filesize INTEGER NOT NULL)', 'mimetypes': 'CREATE TABLE mimetypes (_id INTEGER PRIMARY KEY AUTOINCREMENT, mimetype TEXT NOT NULL)', 'phone_lookup': 'CREATE TABLE phone_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_number TEXT NOT NULL, min_match TEXT NOT NULL)', 'data_usage_stat': 'CREATE TABLE data_usage_stat(stat_id INTEGER PRIMARY KEY AUTOINCREMENT, data_id INTEGER NOT NULL, usage_type INTEGER NOT NULL DEFAULT 0, times_used INTEGER NOT NULL DEFAULT 0, last_time_used INTEGER NOT NULL DEFAULT 0, FOREIGN KEY(data_id) REFERENCES data(_id))', 'nickname_lookup': 'CREATE TABLE nickname_lookup (name TEXT, cluster TEXT)', 'agg_exceptions': 'CREATE TABLE agg_exceptions (_id INTEGER PRIMARY KEY AUTOINCREMENT, type INTEGER NOT NULL, raw_contact_id1 INTEGER REFERENCES raw_contacts(_id), raw_contact_id2 INTEGER REFERENCES raw_contacts(_id))', 'directories': 'CREATE TABLE directories(_id INTEGER PRIMARY KEY AUTOINCREMENT, packageName TEXT NOT NULL, authority TEXT NOT NULL, typeResourceId INTEGER, typeResourceName TEXT, accountType TEXT, accountName TEXT, displayName TEXT, exportSupport INTEGER NOT NULL DEFAULT 0, shortcutSupport INTEGER NOT NULL DEFAULT 0, photoSupport INTEGER NOT NULL DEFAULT 0)', 'accounts': 'CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT, account_name TEXT, account_type TEXT, data_set TEXT)', 'contacts': 'CREATE TABLE contacts (_id INTEGER PRIMARY KEY AUTOINCREMENT, name_raw_contact_id INTEGER REFERENCES raw_contacts(_id), photo_id INTEGER REFERENCES data(_id), photo_file_id INTEGER REFERENCES photo_files(_id), custom_ringtone TEXT, send_to_voicemail INTEGER NOT NULL DEFAULT 0, times_contacted INTEGER NOT NULL DEFAULT 0, last_time_contacted INTEGER, starred INTEGER NOT NULL DEFAULT 0, has_phone_number INTEGER NOT NULL DEFAULT 0, lookup TEXT, status_update_id INTEGER REFERENCES data(_id), contact_last_updated_timestamp INTEGER)', 'groups': 'CREATE TABLE groups (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), account_name STRING DEFAULT NULL, account_type STRING DEFAULT NULL, data_set STRING DEFAULT NULL, sourceid TEXT, version INTEGER NOT NULL DEFAULT 1, dirty INTEGER NOT NULL DEFAULT 0, title TEXT, title_res INTEGER, notes TEXT, system_id TEXT, deleted INTEGER NOT NULL DEFAULT 0, group_visible INTEGER NOT NULL DEFAULT 0, should_sync INTEGER NOT NULL DEFAULT 1, auto_add INTEGER NOT NULL DEFAULT 0, favorites INTEGER NOT NULL DEFAULT 0, group_is_read_only INTEGER NOT NULL DEFAULT 0, sync1 TEXT, sync2 TEXT, sync3 TEXT, sync4 TEXT , account_id INTEGER REFERENCES accounts(_id))', 'default_directory': 'CREATE TABLE default_directory (_id INTEGER PRIMARY KEY)'}]

plaso.parsers.sqlite_plugins.android_sms module

This file contains a parser for the Android SMS database.

Android SMS messages are stored in SQLite database files named mmssms.dbs.

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData

Bases: plaso.containers.events.EventData

Android SMS event data.

address

str – phone number associated to the sender or receiver.

body

str – content of the SMS text message.

sms_read

str – message read status, either Read or Unread.

sms_type

str – message type, either Sent or Received.

DATA_TYPE = 'android:messaging:sms'

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Android SMS databases.

DESCRIPTION = 'Parser for Android text messages SQLite database files.'

NAME = 'android_sms'

ParseSmsRow(parser_mediator, query, row, **unused_kwargs)

Parses an SMS row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, address, date, read, type, body FROM sms', 'ParseSmsRow')]

REQUIRED_TABLES = frozenset({'sms'})

SCHEMAS = [{'attachments': 'CREATE TABLE attachments (sms_id INTEGER, content_url TEXT, offset INTEGER)', 'sms': 'CREATE TABLE sms (_id INTEGER PRIMARY KEY, thread_id INTEGER, address TEXT, person INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, protocol INTEGER, read INTEGER DEFAULT 0, status INTEGER DEFAULT -1, type INTEGER, reply_path_present INTEGER, subject TEXT, body TEXT, service_center TEXT, locked INTEGER DEFAULT 0, error_code INTEGER DEFAULT 0, seen INTEGER DEFAULT 0)', 'rate': 'CREATE TABLE rate (sent_time INTEGER)', 'words_content': "CREATE TABLE 'words_content'(docid INTEGER PRIMARY KEY, 'c0_id', 'c1index_text', 'c2source_id', 'c3table_to_use')", 'addr': 'CREATE TABLE addr (_id INTEGER PRIMARY KEY, msg_id INTEGER, contact_id INTEGER, address TEXT, type INTEGER, charset INTEGER)', 'pd': 'CREATE TABLE pdu (_id INTEGER PRIMARY KEY AUTOINCREMENT, thread_id INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, msg_box INTEGER, read INTEGER DEFAULT 0, m_id TEXT, sub TEXT, sub_cs INTEGER, ct_t TEXT, ct_l TEXT, exp INTEGER, m_cls TEXT, m_type INTEGER, v INTEGER, m_size INTEGER, pri INTEGER, rr INTEGER, rpt_a INTEGER, resp_st INTEGER, st INTEGER, tr_id TEXT, retr_st INTEGER, retr_txt TEXT, retr_txt_cs INTEGER, read_status INTEGER, ct_cls INTEGER, resp_txt TEXT, d_tm INTEGER, d_rpt INTEGER, locked INTEGER DEFAULT 0, seen INTEGER DEFAULT 0, text_only INTEGER DEFAULT 0)', 'pending_msgs': 'CREATE TABLE pending_msgs (_id INTEGER PRIMARY KEY, proto_type INTEGER, msg_id INTEGER, msg_type INTEGER, err_type INTEGER, err_code INTEGER, retry_index INTEGER NOT NULL DEFAULT 0, due_time INTEGER, last_try INTEGER)', 'sr_pending': 'CREATE TABLE sr_pending (reference_number INTEGER, action TEXT, data TEXT)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'words_segments': "CREATE TABLE 'words_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'drm': 'CREATE TABLE drm (_id INTEGER PRIMARY KEY, _data TEXT)', 'words_segdir': "CREATE TABLE 'words_segdir'(level INTEGER, idx INTEGER, start_block INTEGER, leaves_end_block INTEGER, end_block INTEGER, root BLOB, PRIMARY KEY(level, idx))", 'canonical_addresses': 'CREATE TABLE canonical_addresses (_id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT)', 'raw': 'CREATE TABLE raw (_id INTEGER PRIMARY KEY, date INTEGER, reference_number INTEGER, count INTEGER, sequence INTEGER, destination_port INTEGER, address TEXT, pdu TEXT)', 'threads': 'CREATE TABLE threads (_id INTEGER PRIMARY KEY AUTOINCREMENT, date INTEGER DEFAULT 0, message_count INTEGER DEFAULT 0, recipient_ids TEXT, snippet TEXT, snippet_cs INTEGER DEFAULT 0, read INTEGER DEFAULT 1, type INTEGER DEFAULT 0, error INTEGER DEFAULT 0, has_attachment INTEGER DEFAULT 0)', 'words': 'CREATE VIRTUAL TABLE words USING FTS3 (_id INTEGER PRIMARY KEY, index_text TEXT, source_id INTEGER, table_to_use INTEGER)', 'part': 'CREATE TABLE part (_id INTEGER PRIMARY KEY AUTOINCREMENT, mid INTEGER, seq INTEGER DEFAULT 0, ct TEXT, name TEXT, chset INTEGER, cd TEXT, fn TEXT, cid TEXT, cl TEXT, ctt_s INTEGER, ctt_t TEXT, _data TEXT, text TEXT)'}]

SMS_READ = {0: 'UNREAD', 1: 'READ'}

SMS_TYPE = {1: 'RECEIVED', 2: 'SENT'}

plaso.parsers.sqlite_plugins.android_webview module

Parser for Android WebView databases.

class plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData

Bases: plaso.containers.events.EventData

Android WebView cookie event data.

cookie_name

str – name of the cookie.

data

str – data stored in the cookie.

domain

str – host that set the cookie.

path

str – path for which the cookie was set.

secure

bool – True if the cookie should only be transmitted over a secure channel.

url

str – URL of the cookie.

DATA_TYPE = 'webview:cookie'

class plaso.parsers.sqlite_plugins.android_webview.WebViewPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for WebView databases.

DESCRIPTION = 'Parser for Android WebView databases'

NAME = 'android_webview'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)

Parses a row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT _id, name, value, domain, expires, path, secure FROM cookies', 'ParseCookieRow')})

REQUIRED_TABLES = frozenset({'cookies', 'android_metadata'})

SCHEMAS = [{'password': 'CREATE TABLE password (_id INTEGER PRIMARY KEY, host TEXT, username TEXT, password TEXT, UNIQUE (host, username) ON CONFLICT REPLACE)', 'cookies': 'CREATE TABLE cookies (_id INTEGER PRIMARY KEY, name TEXT, value TEXT, domain TEXT, path TEXT, expires INTEGER, secure INTEGER)', 'formdata': 'CREATE TABLE formdata (_id INTEGER PRIMARY KEY, urlid INTEGER, name TEXT, value TEXT, UNIQUE (urlid, name, value) ON CONFLICT IGNORE)', 'formurl': 'CREATE TABLE formurl (_id INTEGER PRIMARY KEY, url TEXT)', 'httpauth': 'CREATE TABLE httpauth (_id INTEGER PRIMARY KEY, host TEXT, realm TEXT, username TEXT, password TEXT, UNIQUE (host, realm) ON CONFLICT REPLACE)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)'}]

plaso.parsers.sqlite_plugins.android_webviewcache module

Parser for Android WebviewCache databases.

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData

Bases: plaso.containers.events.EventData

Android WebViewCache event data.

content_length

int – size of the cached content.

url

str – URL the content was retrieved from.

DATA_TYPE = 'android:webviewcache'

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Android WebViewCache databases.

DESCRIPTION = 'Parser for Android WebViewCache databases'

NAME = 'android_webviewcache'

ParseRow(parser_mediator, query, row, **unused_kwargs)

Parses a row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = frozenset({('SELECT url, contentlength, expires, lastmodify FROM cache', 'ParseRow')})

REQUIRED_TABLES = frozenset({'cache', 'android_metadata'})

SCHEMAS = [{'cache': 'CREATE TABLE cache (_id INTEGER PRIMARY KEY, url TEXT, filepath TEXT, lastmodify TEXT, etag TEXT, expires INTEGER, expiresstring TEXT, mimetype TEXT, encoding TEXT, httpstatus INTEGER, location TEXT, contentlength INTEGER, contentdisposition TEXT, UNIQUE (url) ON CONFLICT REPLACE)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)'}]

plaso.parsers.sqlite_plugins.appusage module

This file contains a parser for the MacOS application usage.

The application usage is stored in SQLite database files named /var/db/application_usage.sqlite

class plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse Application Usage history files.

Application usage is a SQLite database that logs down entries triggered by NSWorkspaceWillLaunchApplicationNotification and NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by crankd.

See the code here: http://code.google.com/p/google-macops/source/browse/trunk/crankd/ ApplicationUsage.py

Default installation: /var/db/application_usage.sqlite

DESCRIPTION = 'Parser for MacOS application usage SQLite database files.'

NAME = 'appusage'

ParseApplicationUsageRow(parser_mediator, query, row, **unused_kwargs)

Parses an application usage row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT last_time, event, bundle_id, app_version, app_path, number_times FROM application_usage ORDER BY last_time', 'ParseApplicationUsageRow')]

REQUIRED_TABLES = frozenset({'application_usage'})

SCHEMAS = [{'application_usage': 'CREATE TABLE application_usage (event TEXT, bundle_id TEXT, app_version TEXT, app_path TEXT, last_time INTEGER DEFAULT 0, number_times INTEGER DEFAULT 0, PRIMARY KEY (event, bundle_id))'}]

class plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData

Bases: plaso.containers.events.EventData

MacOS application usage event data.

application

str – name of the application.

app_version

str – version of the application.

bundle_id

str – bundle identifier of the application.

count

int – TODO: number of times what?

DATA_TYPE = 'macosx:application_usage'

plaso.parsers.sqlite_plugins.chrome module

Parser for the Google Chrome History files.

The Chrome History is stored in SQLite database files named History and Archived History. Where the Archived History does not contain the downloads table.

class plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Google Chrome history SQLite database plugin.

ParseLastVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a last visited row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.
• cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables.
• database (Optional[SQLiteDatabase]) – database.

class plaso.parsers.sqlite_plugins.chrome.ChromeHistoryFileDownloadedEventData

Bases: plaso.containers.events.EventData

Chrome History file downloaded event data.

full_path

str – full path where the file was downloaded to.

received_bytes

int – number of bytes received while downloading.

total_bytes

int – total number of bytes to download.

url

str – URL of the downloaded file.

DATA_TYPE = 'chrome:history:file_downloaded'

class plaso.parsers.sqlite_plugins.chrome.ChromeHistoryPageVisitedEventData

Bases: plaso.containers.events.EventData

Chrome History page visited event data.

from_visit

str – URL where the visit originated from.

page_transition_type

int – type of transitions between pages.

title

str – title of the visited page.

typed_count

int – number of characters of the URL that were typed.

url

str – URL of the visited page.

url_hidden

bool – True if the URL is hidden.

visit_source

int – source of the page visit.

DATA_TYPE = 'chrome:history:page_visited'

class plaso.parsers.sqlite_plugins.chrome.GoogleChrome27HistoryPlugin

Bases: plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin

Google Chrome 27 - 65 history SQLite database plugin.

DESCRIPTION = 'Parser for Google Chrome 27 and up history SQLite database files.'

NAME = 'chrome_27_history'

ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)

Parses a file downloaded row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT downloads.id AS id, downloads.start_time,downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id', 'ParseFileDownloadedRow')]

REQUIRED_TABLES = frozenset({'urls', 'downloads_url_chains', 'meta', 'visit_source', 'visits', 'downloads', 'keyword_search_terms'})

SCHEMAS = [{'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL, mime_type VARCHAR(255) NOT NULL DEFAULT "", original_mime_type VARCHAR(255) NOT NULL DEFAULT "", guid VARCHAR NOT NULL DEFAULT \'\', hash BLOB NOT NULL DEFAULT X\'\', http_method VARCHAR NOT NULL DEFAULT \'\', tab_url VARCHAR NOT NULL DEFAULT \'\', tab_referrer_url VARCHAR NOT NULL DEFAULT \'\', site_url VARCHAR NOT NULL DEFAULT \'\', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}]

class plaso.parsers.sqlite_plugins.chrome.GoogleChrome8HistoryPlugin

Bases: plaso.parsers.sqlite_plugins.chrome.BaseGoogleChromeHistoryPlugin

Google Chrome 8 - 25 history SQLite database plugin.

DESCRIPTION = 'Parser for Google Chrome 8 - 25 history SQLite database files.'

NAME = 'chrome_8_history'

ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)

Parses a file downloaded row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT id, full_path, url, start_time, received_bytes, total_bytes,state FROM downloads', 'ParseFileDownloadedRow')]

REQUIRED_TABLES = frozenset({'urls', 'meta', 'visit_source', 'presentation', 'visits', 'downloads', 'keyword_search_terms'})

SCHEMAS = [{'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}, {'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)'}]

plaso.parsers.sqlite_plugins.chrome_autofill module

Parser for Google Chrome autofill entries.

The Chrome autofill information is stored in SQLite database files named Web Data.

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData

Bases: plaso.containers.events.EventData

Chrome Autofill event data.

field_name

str – name of form field.

value

str – value populated in form field.

usage_count

int – count of times value has been used in field_name.

DATA_TYPE = 'chrome:autofill:entry'

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Plugin to parse Chrome Autofill entries from Web Data database files.

DESCRIPTION = 'Parser for Chrome autofill SQLite database files.'

NAME = 'chrome_autofill'

ParseAutofillRow(parser_mediator, query, row, **unused_kwargs)

Parses an autofill entry row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT autofill.date_created, autofill.date_last_used, autofill.name, autofill.value, autofill.count FROM autofill ORDER BY date_created', 'ParseAutofillRow')]

REQUIRED_TABLES = frozenset({'autofill'})

SCHEMAS = [{'autofill': 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value));)'}]

plaso.parsers.sqlite_plugins.chrome_cookies module

Parser for the Google Chrome Cookie database.

class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData

Bases: plaso.containers.events.EventData

Chrome Cookie event data.

cookie_name

str – name of the cookie.

host

str – hostname of host that set the cookie value.

httponly

bool – True if the cookie cannot be accessed through client side script.

path

str – path where the cookie got set.

persistent

bool – True if the cookie is persistent.

secure

bool – True if the cookie should only be transmitted over a secure channel.

url

str – URL or path where the cookie got set.

data

str – value of the cookie.

DATA_TYPE = 'chrome:cookie:entry'

class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookiePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse Chrome Cookies file.

DESCRIPTION = 'Parser for Chrome cookies SQLite database files.'

GA_UTMZ_TRANSLATION = {'utmccn': 'Ad campaign information.', 'utmcct': 'Path to the page of referring link.', 'utmcmd': 'Last type of visit.', 'utmcsr': 'Last source used to access.', 'utmctr': 'Keywords used to find site.'}

NAME = 'chrome_cookies'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)

Parses a cookie row.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from the query.

QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent FROM cookies', 'ParseCookieRow'), ('SELECT creation_utc, host_key, name, value, path, expires_utc, is_secure AS secure, is_httponly AS httponly, last_access_utc, has_expires, is_persistent AS persistent FROM cookies', 'ParseCookieRow')]

REQUIRED_TABLES = frozenset({'cookies', 'meta'})

SCHEMAS = [{'cookies': 'CREATE TABLE cookies (creation_utc INTEGER NOT NULL UNIQUE PRIMARY KEY, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, secure INTEGER NOT NULL, httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER DEFAULT 1, persistent INTEGER DEFAULT 1)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]

URLS = ['http://src.chromium.org/svn/trunk/src/net/cookies/', 'http://www.dfinews.com/articles/2012/02/google-analytics-cookies-and-forensic-implications']

plaso.parsers.sqlite_plugins.chrome_extension_activity module

Parser for the Google Chrome extension activity database files.

The Chrome extension activity is stored in SQLite database files named Extension Activity.

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData

Bases: plaso.containers.events.EventData

Chrome Extension Activity event data.

action_type

str – action type.

activity_id

str – activity identifier.

api_name

str – name of API.

arg_url

str – URL argument.

args

str – arguments.

extension_id

str – extension identifier.

other

str – other.

page_title

str – title of webpage.

page_url

str – URL of webpage.

DATA_TYPE = 'chrome:extension_activity:activity_log'

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Plugin to parse Chrome extension activity database files.

DESCRIPTION = 'Parser for Chrome extension activity SQLite database files.'

NAME = 'chrome_extension_activity'

ParseActivityLogUncompressedRow(parser_mediator, query, row, **unused_kwargs)

Parses an activity log row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT time, extension_id, action_type, api_name, args, page_url, page_title, arg_url, other, activity_id FROM activitylog_uncompressed ORDER BY time', 'ParseActivityLogUncompressedRow')]

REQUIRED_TABLES = frozenset({'activitylog_compressed', 'string_ids', 'url_ids'})

SCHEMAS = [{'activitylog_compressed': 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, action_type INTEGER, api_name_x INTEGER, args_x INTEGER, page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, other_x INTEGER)', 'string_ids': 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)', 'url_ids': 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)'}]

plaso.parsers.sqlite_plugins.firefox module

This file contains a parser for the Mozilla Firefox history.

class plaso.parsers.sqlite_plugins.firefox.FirefoxDownloadEventData

Bases: plaso.containers.events.EventData

Firefox download event data.

full_path

str – full path of the target of the download.

mime_type

str – mime type of the download.

name

str – name of the download.

received_bytes

int – number of bytes received.

referrer

str – referrer URL of the download.

temporary_location

str – temporary location of the download.

total_bytes

int – total number of bytes of the download.

url

str – source URL of the download.

DATA_TYPE = 'firefox:downloads:download'

class plaso.parsers.sqlite_plugins.firefox.FirefoxDownloadsPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parses a Firefox downloads file.

The Firefox downloads history is stored in a SQLite database file named downloads.sqlite.

DESCRIPTION = 'Parser for Firefox downloads SQLite database files.'

NAME = 'firefox_downloads'

ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)

Parses a downloads row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT moz_downloads.id, moz_downloads.name, moz_downloads.source, moz_downloads.target, moz_downloads.tempPath, moz_downloads.startTime, moz_downloads.endTime, moz_downloads.state, moz_downloads.referrer, moz_downloads.currBytes, moz_downloads.maxBytes, moz_downloads.mimeType FROM moz_downloads', 'ParseDownloadsRow')]

REQUIRED_TABLES = frozenset({'moz_downloads'})

SCHEMAS = [{'moz_downloads': 'CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)'}]

class plaso.parsers.sqlite_plugins.firefox.FirefoxHistoryPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parses a Firefox history file.

The Firefox history is stored in a SQLite database file named places.sqlite.

DESCRIPTION = 'Parser for Firefox history SQLite database files.'

NAME = 'firefox_history'

ParseBookmarkAnnotationRow(parser_mediator, query, row, **unused_kwargs)

Parses a bookmark annotation row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

ParseBookmarkFolderRow(parser_mediator, query, row, **unused_kwargs)

Parses a bookmark folder row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

ParseBookmarkRow(parser_mediator, query, row, **unused_kwargs)

Parses a bookmark row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

ParsePageVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a page visited row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.
• cache (Optional[SQLiteCache]) – cache.
• database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.from_visit, moz_places.rev_host, moz_places.hidden, moz_places.typed, moz_historyvisits.visit_type FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id', 'ParsePageVisitedRow'), ('SELECT moz_bookmarks.type, moz_bookmarks.title AS bookmark_title, moz_bookmarks.dateAdded, moz_bookmarks.lastModified, moz_places.url, moz_places.title AS places_title, moz_places.rev_host, moz_places.visit_count, moz_bookmarks.id FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3', 'ParseBookmarkRow'), ('SELECT moz_items_annos.content, moz_items_annos.dateAdded, moz_items_annos.lastModified, moz_bookmarks.title, moz_places.url, moz_places.rev_host, moz_items_annos.id FROM moz_items_annos, moz_bookmarks, moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id', 'ParseBookmarkAnnotationRow'), ('SELECT moz_bookmarks.id, moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2', 'ParseBookmarkFolderRow')]

REQUIRED_TABLES = frozenset({'moz_bookmarks', 'moz_places', 'moz_items_annos', 'moz_historyvisits'})

SCHEMAS = [{'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER )', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG)', 'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)'}, {'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER, guid TEXT)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG, guid TEXT)', 'moz_hosts': 'CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY, host TEXT NOT NULL UNIQUE, frecency INTEGER, typed INTEGER NOT NULL DEFAULT 0, prefix TEXT)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)', 'sqlite_stat1': 'CREATE TABLE sqlite_stat1(tbl, idx, stat)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)'}]

URL_CACHE_QUERY = 'SELECT h.id AS id, p.url, p.rev_host FROM moz_places p, moz_historyvisits h WHERE p.id = h.place_id'

class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkAnnotationEventData

Bases: plaso.containers.events.EventData

Firefox bookmark annotation event data.

content

str – annotation content.

title

str – title of the bookmark folder.

url

str – bookmarked URL.

DATA_TYPE = 'firefox:places:bookmark_annotation'

class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkEventData

Bases: plaso.containers.events.EventData

Firefox bookmark event data.

bookmark_type

int – bookmark type.

hostname

str – hostname.

places_title

str – places title.

title

str – title of the bookmark folder.

url

str – bookmarked URL.

visit_count

int – visit count.

DATA_TYPE = 'firefox:places:bookmark'

class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesBookmarkFolderEventData

Bases: plaso.containers.events.EventData

Firefox bookmark folder event data.

title

str – title of the bookmark folder.

DATA_TYPE = 'firefox:places:bookmark_folder'

class plaso.parsers.sqlite_plugins.firefox.FirefoxPlacesPageVisitedEventData

Bases: plaso.containers.events.EventData

Firefox page visited event data.

extra

list[object] – extra event data.

hostname

str – visited hostname.

title

str – title of the visited page.

url

str – URL of the visited page.

visit_count

int – visit count.

visit_type

str – transition type for the event.

DATA_TYPE = 'firefox:places:page_visited'

plaso.parsers.sqlite_plugins.firefox_cookies module

Parser for the Firefox Cookie database.

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData

Bases: plaso.containers.events.EventData

Firefox Cookie event data.

cookie_name

str – name field of the cookie.

data

str – cookie data.

httponly

bool – True if the cookie cannot be accessed through client side script.

host

str – hostname of host that set the cookie value.

path

str – URI of the page that set the cookie.

secure

bool – True if the cookie should only be transmitted over a secure channel.

DATA_TYPE = 'firefox:cookie:entry'

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for the Firefox Cookie database.

DESCRIPTION = 'Parser for Firefox cookies SQLite database files.'

NAME = 'firefox_cookies'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)

Parses a cookie row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT id, baseDomain, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')]

REQUIRED_TABLES = frozenset({'moz_cookies'})

SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}]

URLS = ['https://hg.mozilla.org/mozilla-central/file/349a2f003529/netwerk/cookie/nsCookie.h']

plaso.parsers.sqlite_plugins.gdrive module

This file contains a parser for the Google Drive snapshots.

The Google Drive snapshots are stored in SQLite database files named snapshot.db.

class plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for Google Drive snapshot.db files.

CLOUD_PATH_CACHE_QUERY = 'SELECT cloud_entry.filename, cloud_entry.resource_id, cloud_relations.parent_resource_id AS parent FROM cloud_entry, cloud_relations WHERE cloud_entry.doc_type = 0 AND cloud_entry.resource_id = cloud_relations.child_resource_id'

DESCRIPTION = 'Parser for Google Drive SQLite database files.'

GetCloudPath(resource_id, cache, database)

Return cloud path given a resource id.

Parameters:

• resource_id (str) – resource identifier for the file.
• cache (SQLiteCache) – cache.
• database (SQLiteDatabase) – database.

Returns:

full path to the resource value.

Return type:

str

GetLocalPath(inode, cache, database)

Return local path for a given inode.

Parameters:

• inode (int) – inode number for the file.
• cache (SQLiteCache) – cache.
• database (SQLiteDatabase) – database.

Returns:

full path, including the filename of the given inode value.

Return type:

str

LOCAL_PATH_CACHE_QUERY = 'SELECT local_relations.child_inode_number, local_relations.parent_inode_number, local_entry.filename FROM local_relations, local_entry WHERE local_relations.child_inode_number = local_entry.inode_number'

NAME = 'google_drive'

ParseCloudEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a cloud entry row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.
• cache (SQLiteCache) – cache.
• database (SQLiteDatabase) – database.

ParseLocalEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a local entry row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.
• cache (Optional[SQLiteCache]) – cache.
• database (Optional[SQLiteDatabase]) – database.

QUERIES = [('SELECT cloud_entry.resource_id, cloud_entry.filename, cloud_entry.modified, cloud_entry.created, cloud_entry.size, cloud_entry.doc_type, cloud_entry.shared, cloud_entry.checksum, cloud_entry.url, cloud_relations.parent_resource_id FROM cloud_entry, cloud_relations WHERE cloud_relations.child_resource_id = cloud_entry.resource_id AND cloud_entry.modified IS NOT NULL;', 'ParseCloudEntryRow'), ('SELECT inode_number, filename, modified, checksum, size FROM local_entry WHERE modified IS NOT NULL;', 'ParseLocalEntryRow')]

REQUIRED_TABLES = frozenset({'overlay_status', 'mapping', 'cloud_entry', 'local_entry', 'local_relations', 'cloud_relations'})

SCHEMAS = [{'overlay_status': 'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, PRIMARY KEY (path))', 'mapping': 'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES cloud_entry(resource_id))', 'cloud_entry': 'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared INTEGER, PRIMARY KEY (resource_id))', 'local_entry': 'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY (inode_number))', 'local_relations': 'CREATE TABLE local_relations (child_inode_number INTEGER, parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN KEY (parent_inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (child_inode_number) REFERENCES local_entry(inode_number))', 'cloud_relations': 'CREATE TABLE cloud_relations (child_resource_id TEXT, parent_resource_id TEXT, UNIQUE (child_resource_id, parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) REFERENCES cloud_entry(resource_id))'}]

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData

Bases: plaso.containers.events.EventData

Google Drive snapshot cloud entry event data.

doc_type

int – document type.

path

str – path of the file.

shared

bool – True if the file is shared, False if the file is private.

size

int – size of the file.

url

str – URL of the file.

DATA_TYPE = 'gdrive:snapshot:cloud_entry'

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData

Bases: plaso.containers.events.EventData

Google Drive snapshot local entry event data.

path

str – path of the file.

size

int – size of the file.

DATA_TYPE = 'gdrive:snapshot:local_entry'

plaso.parsers.sqlite_plugins.hangouts_messages module

This file contains a parser for the Google Hangouts Active Conversations DB.

/data/com.google.android.talk/databases/babel.db This SQLite database is the conversation database for conversations,

participant names, messages, and information about the Google Hangout event. There can be multiple babel.db databases, and each database name will be followed by an integer starting with 0 (e.g., babel0.db,babel1.db,babel3.db)..

class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData

Bases: plaso.containers.events.EventData

GoogleHangouts Message event data.

sender

str – Name with the sender.

body

str – content of the SMS text message.

message_status

int – message status.

message_type

int – message type.

DATA_TYPE = 'android:messaging:hangouts'

class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Google Hangouts databases.

DESCRIPTION = 'Parser for Google Hangouts Messages SQLite database files.'

NAME = 'hangouts_messages'

ParseMessagesRow(parser_mediator, query, row, **unused_kwargs)

Parses an Messages row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT messages._id, participants.full_name, text, messages.timestamp,status, type FROM messages INNER JOIN participants ON messages.author_chat_id=participants.chat_id;', 'ParseMessagesRow')]

REQUIRED_TABLES = frozenset({'messages', 'blocked_people', 'participants'})

SCHEMAS = [{'search': 'CREATE TABLE search (search_key TEXT NOT NULL,continuation_token TEXT,PRIMARY KEY (search_key))', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY, participant_row_id INT, participant_type INT, conversation_id TEXT, sequence INT, active INT, invitation_status INT DEFAULT(0), UNIQUE (conversation_id,participant_row_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, FOREIGN KEY (participant_row_id) REFERENCES participants(_id))', 'multipart_attachments': 'CREATE TABLE multipart_attachments (_id INTEGER PRIMARY KEY, message_id TEXT, conversation_id TEXT, url TEXT, content_type TEXT, width INT, height INT, FOREIGN KEY (message_id, conversation_id) REFERENCES messages(message_id, conversation_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participant_email_fts_docsize': "CREATE TABLE 'participant_email_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'messages': 'CREATE TABLE messages (_id INTEGER PRIMARY KEY, message_id TEXT, message_type INT, conversation_id TEXT, author_chat_id TEXT, author_gaia_id TEXT, text TEXT, timestamp INT, delete_after_read_timetamp INT, status INT, type INT, local_url TEXT, remote_url TEXT, attachment_content_type TEXT, width_pixels INT, height_pixels INT, stream_id TEXT, image_id TEXT, album_id TEXT, latitude DOUBLE, longitude DOUBLE, address ADDRESS, notification_level INT, expiration_timestamp INT, notified_for_failure INT DEFAULT(0), off_the_record INT DEFAULT(0), transport_type INT NOT NULL DEFAULT(1), transport_phone TEXT, external_ids TEXT, sms_timestamp_sent INT DEFAULT(0), sms_priority INT DEFAULT(0), sms_message_size INT DEFAULT(0), mms_subject TEXT, sms_raw_sender TEXT, sms_raw_recipients TEXT, persisted INT DEFAULT(1), sms_message_status INT DEFAULT(-1), sms_type INT DEFAULT(-1), stream_url TEXT, attachment_target_url TEXT, attachment_name TEXT, image_rotation INT DEFAULT (0), new_conversation_name TEXT, participant_keys TEXT, forwarded_mms_url TEXT, forwarded_mms_count INT DEFAULT(0), attachment_description TEXT, attachment_target_url_description TEXT, attachment_target_url_name TEXT, attachment_blob_data BLOB,attachment_uploading_progress INT DEFAULT(0), sending_error INT DEFAULT(0), stream_expiration INT, voicemail_length INT DEFAULT (0), call_media_type INT DEFAULT(0), last_seen_timestamp INT DEFAULT(0), observed_status INT DEFAULT(2), receive_type INT DEFAULT(0), init_timestamp INT DEFAULT(0), in_app_msg_latency INT DEFAULT(0), notified INT DEFAULT(0), alert_in_conversation_list INT DEFAULT(0), attachments BLOB, is_user_mentioned INT DEFAULT(0), local_id TEXT, request_task_row_id INT DEFAULT(-1), FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,message_id) ON CONFLICT REPLACE)', 'presence': 'CREATE TABLE presence (_id INTEGER PRIMARY KEY, gaia_id TEXT NOT NULL, reachable INT DEFAULT(0), reachable_time INT DEFAULT(0), available INT DEFAULT(0), available_time INT DEFAULT(0), status_message TEXT, status_message_time INT DEFAULT(0), call_type INT DEFAULT(0), call_type_time INT DEFAULT(0), device_status INT DEFAULT(0), device_status_time INT DEFAULT(0), last_seen INT DEFAULT(0), last_seen_time INT DEFAULT(0), location BLOB, location_time INT DEFAULT(0), UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'recent_calls': 'CREATE TABLE recent_calls (_id INTEGER PRIMARY KEY, normalized_number TEXT NOT NULL, phone_number TEXT, contact_id TEXT, call_timestamp INT, call_type INT, contact_type INT, call_rate TEXT, is_free_call BOOLEAN)', 'suggested_contacts': 'CREATE TABLE suggested_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, first_name TEXT, packed_circle_ids TEXT, profile_photo_url TEXT, sequence INT, suggestion_type INT, logging_id TEXT, affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'participant_email_fts': 'CREATE VIRTUAL TABLE participant_email_fts USING fts4(content="merged_contact_details", gaia_id,lookup_data)', 'participants_fts_docsize': "CREATE TABLE 'participants_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'merged_contact_details': 'CREATE TABLE merged_contact_details (_id INTEGER PRIMARY KEY, merged_contact_id INT, lookup_data_type INT, lookup_data TEXT, lookup_data_standardized TEXT, lookup_data_search TEXT, lookup_data_label TEXT, needs_gaia_ids_resolved INT DEFAULT (1), is_hangouts_user INT DEFAULT (0), gaia_id TEXT, avatar_url TEXT, display_name TEXT, last_checked_ts INT DEFAULT (0), lookup_data_display TEXT, detail_affinity_score REAL DEFAULT (0.0), detail_logging_id TEXT, is_in_viewer_dasher_domain INT DEFAULT (0), FOREIGN KEY (merged_contact_id) REFERENCES merged_contacts(_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participants': "CREATE TABLE participants (_id INTEGER PRIMARY KEY, participant_type INT DEFAULT 1, gaia_id TEXT, chat_id TEXT, phone_id TEXT, circle_id TEXT, first_name TEXT, full_name TEXT, fallback_name TEXT, profile_photo_url TEXT, batch_gebi_tag STRING DEFAULT('-1'), blocked INT DEFAULT(0), in_users_domain BOOLEAN, UNIQUE (circle_id) ON CONFLICT REPLACE, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)", 'mms_notification_inds': 'CREATE TABLE mms_notification_inds (_id INTEGER PRIMARY KEY, content_location TEXT, transaction_id TEXT, from_address TEXT, message_size INT DEFAULT(0), expiry INT)', 'dismissed_contacts': 'CREATE TABLE dismissed_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY, conversation_id TEXT, conversation_type INT, latest_message_timestamp INT DEFAULT(0), latest_message_expiration_timestamp INT, metadata_present INT,notification_level INT, name TEXT, generated_name TEXT, snippet_type INT, snippet_text TEXT, snippet_image_url TEXT, snippet_author_gaia_id TEXT, snippet_author_chat_id TEXT, snippet_message_row_id INT, snippet_selector INT, snippet_status INT, snippet_new_conversation_name TEXT, snippet_participant_keys TEXT, snippet_sms_type TEXT, previous_latest_timestamp INT, status INT, view INT, inviter_gaia_id TEXT, inviter_chat_id TEXT, inviter_affinity INT, is_pending_leave INT, account_id INT, is_otr INT, packed_avatar_urls TEXT, self_avatar_url TEXT, self_watermark INT DEFAULT(0), chat_watermark INT DEFAULT(0), hangout_watermark INT DEFAULT(0), is_draft INT, sequence_number INT, call_media_type INT DEFAULT(0), has_joined_hangout INT, has_chat_notifications DEFAULT(0),has_video_notifications DEFAULT(0),last_hangout_event_time INT, draft TEXT, otr_status INT, otr_toggle INT, last_otr_modification_time INT, continuation_token BLOB, continuation_event_timestamp INT, has_oldest_message INT DEFAULT(0), sort_timestamp INT, first_peak_scroll_time INT, first_peak_scroll_to_message_timestamp INT, second_peak_scroll_time INT, second_peak_scroll_to_message_timestamp INT, conversation_hash BLOB, disposition INT DEFAULT(0), has_persistent_events INT DEFAULT(-1), transport_type INT DEFAULT(1), default_transport_phone TEXT, sms_service_center TEXT, is_temporary INT DEFAULT (0), sms_thread_id INT DEFAULT (-1), chat_ringtone_uri TEXT, hangout_ringtone_uri TEXT, snippet_voicemail_duration INT DEFAULT (0), share_count INT DEFAULT(0), has_unobserved TEXT, last_share_timestamp INT DEFAULT(0), gls_status INT DEFAULT(0), gls_link TEXT, is_guest INT DEFAULT(0), UNIQUE (conversation_id ))', 'sticker_photos': 'CREATE TABLE sticker_photos (photo_id TEXT NOT NULL, album_id TEXT NOT NULL, url TEXT NOT NULL, file_name TEXT, last_used INT DEFAULT(0), PRIMARY KEY (photo_id), FOREIGN KEY (album_id) REFERENCES sticker_albums(album_id) ON DELETE CASCADE)', 'merged_contacts': 'CREATE TABLE merged_contacts (_id INTEGER PRIMARY KEY, contact_lookup_key TEXT, contact_id INT, raw_contact_id INT, display_name TEXT, avatar_url TEXT, is_frequent INT DEFAULT (0), is_favorite INT DEFAULT (0), contact_source INT DEFAULT(0), frequent_order INT, person_logging_id TEXT, person_affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'merge_keys': 'CREATE TABLE merge_keys (_id INTEGER PRIMARY KEY, conversation_id TEXT, merge_key TEXT, UNIQUE (conversation_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE )', 'event_suggestions': 'CREATE TABLE event_suggestions (_id INTEGER PRIMARY KEY, conversation_id TEXT, event_id TEXT, suggestion_id TEXT, timestamp INT, expiration_time_usec INT, type INT, gem_asset_url STRING, gem_horizontal_alignment INT, matched_message_substring TEXT, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,suggestion_id) ON CONFLICT REPLACE)', 'sticker_albums': 'CREATE TABLE sticker_albums (album_id TEXT NOT NULL, title TEXT, cover_photo_id TEXT, last_used INT DEFAULT(0), PRIMARY KEY (album_id))', 'participants_fts_segdir': "CREATE TABLE 'participants_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participant_email_fts_segments': "CREATE TABLE 'participant_email_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participants_fts_stat': "CREATE TABLE 'participants_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'participant_email_fts_segdir': "CREATE TABLE 'participant_email_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participants_fts': 'CREATE VIRTUAL TABLE participants_fts USING fts4(content="participants",gaia_id,full_name)', 'blocked_people': 'CREATE TABLE blocked_people (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'participants_fts_segments': "CREATE TABLE 'participants_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participant_email_fts_stat': "CREATE TABLE 'participant_email_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)"}]

plaso.parsers.sqlite_plugins.imessage module

This file contains a parser for the iMessage database on OSX and iOS.

iMessage and SMS data in OSX and iOS are stored in SQLite databases named chat.db and sms.db respectively.

class plaso.parsers.sqlite_plugins.imessage.IMessageEventData

Bases: plaso.containers.events.EventData

iMessage and SMS event data.

attachment_location

str – location of the attachment.

imessage_id

str – mobile number or email address the message was sent to or received from.

message_type

int – value to indicate the message was sent (1) or received (0).

read_receipt

bool – True if the message read receipt was received.

service

str – service, which is either SMS or iMessage.

text

str – content of the message.

DATA_TYPE = 'imessage:event:chat'

class plaso.parsers.sqlite_plugins.imessage.IMessagePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for the iMessage and SMS database.

DESCRIPTION = 'Parser for the iMessage and SMS SQLite databases on OSX and iOS.'

NAME = 'imessage'

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)

Parses a message row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT m.date, m.ROWID, h.id AS imessage_id, m.is_read AS read_receipt, m.is_from_me AS message_type, m.service, a.filename AS"attachment_location", m.text FROM message AS m JOIN handle AS h ON h.ROWID = m.handle_id LEFT OUTER JOIN message_attachment_join AS maj ON m.ROWID = maj.message_id LEFT OUTER JOIN attachment AS a ON maj.attachment_id = a.ROWID', 'ParseMessageRow')]

REQUIRED_TABLES = frozenset({'message', 'handle', 'message_attachment_join', 'attachment'})

SCHEMAS = [{'deleted_messages': 'CREATE TABLE deleted_messages (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, guid TEXT NOT NULL)', 'chat_handle_join': 'CREATE TABLE chat_handle_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, handle_id INTEGER REFERENCES handle (ROWID) ON DELETE CASCADE, UNIQUE(chat_id, handle_id))', 'chat': 'CREATE TABLE chat (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, style INTEGER, state INTEGER, account_id TEXT, properties BLOB, chat_identifier TEXT, service_name TEXT, room_name TEXT, account_login TEXT, is_archived INTEGER DEFAULT 0, last_addressed_handle TEXT, display_name TEXT, group_id TEXT, is_filtered INTEGER, successful_query INTEGER)', 'message': 'CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, text TEXT, replace INTEGER DEFAULT 0, service_center TEXT, handle_id INTEGER DEFAULT 0, subject TEXT, country TEXT, attributedBody BLOB, version INTEGER DEFAULT 0, type INTEGER DEFAULT 0, service TEXT, account TEXT, account_guid TEXT, error INTEGER DEFAULT 0, date INTEGER, date_read INTEGER, date_delivered INTEGER, is_delivered INTEGER DEFAULT 0, is_finished INTEGER DEFAULT 0, is_emote INTEGER DEFAULT 0, is_from_me INTEGER DEFAULT 0, is_empty INTEGER DEFAULT 0, is_delayed INTEGER DEFAULT 0, is_auto_reply INTEGER DEFAULT 0, is_prepared INTEGER DEFAULT 0, is_read INTEGER DEFAULT 0, is_system_message INTEGER DEFAULT 0, is_sent INTEGER DEFAULT 0, has_dd_results INTEGER DEFAULT 0, is_service_message INTEGER DEFAULT 0, is_forward INTEGER DEFAULT 0, was_downgraded INTEGER DEFAULT 0, is_archive INTEGER DEFAULT 0, cache_has_attachments INTEGER DEFAULT 0, cache_roomnames TEXT, was_data_detected INTEGER DEFAULT 0, was_deduplicated INTEGER DEFAULT 0, is_audio_message INTEGER DEFAULT 0, is_played INTEGER DEFAULT 0, date_played INTEGER, item_type INTEGER DEFAULT 0, other_handle INTEGER DEFAULT 0, group_title TEXT, group_action_type INTEGER DEFAULT 0, share_status INTEGER DEFAULT 0, share_direction INTEGER DEFAULT 0, is_expirable INTEGER DEFAULT 0, expire_state INTEGER DEFAULT 0, message_action_type INTEGER DEFAULT 0, message_source INTEGER DEFAULT 0)', 'handle': 'CREATE TABLE handle (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, id TEXT NOT NULL, country TEXT, service TEXT NOT NULL, uncanonicalized_id TEXT, UNIQUE (id, service) )', 'chat_message_join': 'CREATE TABLE chat_message_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, PRIMARY KEY (chat_id, message_id))', '_SqliteDatabaseProperties': 'CREATE TABLE _SqliteDatabaseProperties (key TEXT, value TEXT, UNIQUE(key))', 'message_attachment_join': 'CREATE TABLE message_attachment_join (message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, attachment_id INTEGER REFERENCES attachment (ROWID) ON DELETE CASCADE, UNIQUE(message_id, attachment_id))', 'attachment': 'CREATE TABLE attachment (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, created_date INTEGER DEFAULT 0, start_date INTEGER DEFAULT 0, filename TEXT, uti TEXT, mime_type TEXT, transfer_state INTEGER DEFAULT 0, is_outgoing INTEGER DEFAULT 0, user_info BLOB, transfer_name TEXT, total_bytes INTEGER DEFAULT 0)'}]

plaso.parsers.sqlite_plugins.interface module

The SQLite parser plugin interface.

class plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Bases: plaso.parsers.plugins.BasePlugin

SQLite parser plugin.

CheckSchema(database)

Checks the schema of a database with that defined in the plugin.

Parameters:database (SQLiteDatabase) – database. Returns:

True if the schema of the database matches that defined by

the plugin, or False if the schemas do not match or no schema is defined by the plugin.

Return type:bool

DESCRIPTION = 'Parser for SQLite database files.'

NAME = 'sqlite'

Process(parser_mediator, cache=None, database=None, **unused_kwargs)

Determine if this is the right plugin for this database.

This function takes a SQLiteDatabase object and compares the list of required tables against the available tables in the database. If all the tables defined in REQUIRED_TABLES are present in the database then this plugin is considered to be the correct plugin and the function will return back a generator that yields event objects.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• cache (Optional[SQLiteCache]) – cache.
• database (Optional[SQLiteDatabase]) – database.

Raises:

ValueError – If the database or cache value are missing.

QUERIES = []

REQUIRED_TABLES = frozenset()

REQUIRES_SCHEMA_MATCH = False

SCHEMAS = []

plaso.parsers.sqlite_plugins.kik_ios module

This file contains a parser for the Kik database on iOS.

Kik messages on iOS devices are stored in an SQLite database file named kik.sqlite.

class plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData

Bases: plaso.containers.events.EventData

Kik message event data.

body

str – content of the message.

message_status

str – message status, such as: read, unread, not sent, delivered, etc.

message_type

str – message type, either Sent or Received.

username

str – unique username of the sender or receiver.

DATA_TYPE = 'ios:kik:messaging'

class plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for Kik iOS database.

DESCRIPTION = 'Parser for iOS Kik messenger SQLite database files.'

NAME = 'kik_messenger'

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)

Parses a message row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', 'ParseMessageRow')]

REQUIRED_TABLES = frozenset({'ZKIKUSER', 'ZKIKMESSAGE'})

SCHEMAS = [{'Z_6ADMINSINVERSE': 'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', 'ZKIKUSER': 'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ZCONTENTLINKSPROTODATA BLOB )', 'Z_3MESSAGES': 'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', 'ZKIKATTACHMENT': 'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )', 'ZKIKCHAT': 'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED TIMESTAMP )', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)', 'Z_6MEMBERS': 'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', 'ZKIKATTACHMENTEXTRA': 'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', 'ZKIKUSEREXTRA': 'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ZPUBLICMESSAGINGKEY BLOB )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_6BANSINVERSE': 'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', 'ZKIKCHATEXTRA': 'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ZMUTEDTIMESTAMP TIMESTAMP )', 'ZKIKMESSAGE': 'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ZRENDERINSTRUCTIONSET BLOB )'}]

plaso.parsers.sqlite_plugins.kodi module

This file contains a parser for the Kodi MyVideos.db

Kodi videos events are stored in a database called MyVideos.db

class plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Kodi Video databases.

DESCRIPTION = 'Parser for Kodi MyVideos.db files.'

NAME = 'kodi'

ParseVideoRow(parser_mediator, query, row, **unused_kwargs)

Parses a Video row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT idFile,strFilename,playCount,lastPlayed FROM files;', 'ParseVideoRow')]

REQUIRED_TABLES = frozenset({'files'})

SCHEMAS = [{'studio': 'CREATE TABLE studio ( studio_id integer primary key, name TEXT)', 'sets': 'CREATE TABLE sets ( idSet integer primary key, strSet text, strOverview text)', 'tvshow': 'CREATE TABLE tvshow ( idShow integer primary key,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, duration INTEGER)', 'settings': 'CREATE TABLE settings ( idFile integer, Deinterlace bool,ViewMode integer,ZoomAmount float, PixelRatio float, VerticalShift float, AudioStream integer, SubtitleStream integer,SubtitleDelay float, SubtitlesOn bool, Brightness float, Contrast float, Gamma float,VolumeAmplification float, AudioDelay float, OutputToAllSpeakers bool, ResumeTime integer,Sharpness float, NoiseReduction float, NonLinStretch bool, PostProcess bool,ScalingMethod integer, DeinterlaceMode integer, StereoMode integer, StereoInvert bool, VideoStream integer)', 'episode': 'CREATE TABLE episode ( idEpisode integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 varchar(24),c13 varchar(24),c14 text,c15 text,c16 text,c17 varchar(24),c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idShow integer, userrating integer, idSeason integer)', 'movie': 'CREATE TABLE movie ( idMovie integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idSet integer, userrating integer, premiered text)', 'studio_link': 'CREATE TABLE studio_link (studio_id integer, media_id integer, media_type TEXT)', 'bookmark': 'CREATE TABLE bookmark ( idBookmark integer primary key, idFile integer, timeInSeconds double, totalTimeInSeconds double, thumbNailImage text, player text, playerState text, type integer)', 'streamdetails': 'CREATE TABLE streamdetails (idFile integer, iStreamType integer, strVideoCodec text, fVideoAspect float, iVideoWidth integer, iVideoHeight integer, strAudioCodec text, iAudioChannels integer, strAudioLanguage text, strSubtitleLanguage text, iVideoDuration integer, strStereoMode text, strVideoLanguage text)', 'writer_link': 'CREATE TABLE writer_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'path': 'CREATE TABLE path ( idPath integer primary key, strPath text, strContent text, strScraper text, strHash text, scanRecursive integer, useFolderNames bool, strSettings text, noUpdate bool, exclude bool, dateAdded text, idParentPath integer)', 'tag': 'CREATE TABLE tag (tag_id integer primary key, name TEXT)', 'tag_link': 'CREATE TABLE tag_link (tag_id integer, media_id integer, media_type TEXT)', 'musicvideo': 'CREATE TABLE musicvideo ( idMVideo integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, premiered text)', 'movielinktvshow': 'CREATE TABLE movielinktvshow ( idMovie integer, IdShow integer)', 'seasons': 'CREATE TABLE seasons ( idSeason integer primary key, idShow integer, season integer, name text, userrating integer)', 'tvshowlinkpath': 'CREATE TABLE tvshowlinkpath (idShow integer, idPath integer)', 'files': 'CREATE TABLE files ( idFile integer primary key, idPath integer, strFilename text, playCount integer, lastPlayed text, dateAdded text)', 'uniqueid': 'CREATE TABLE uniqueid (uniqueid_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, value TEXT, type TEXT)', 'actor_link': 'CREATE TABLE actor_link(actor_id INTEGER, media_id INTEGER, media_type TEXT, role TEXT, cast_order INTEGER)', 'genre': 'CREATE TABLE genre ( genre_id integer primary key, name TEXT)', 'country_link': 'CREATE TABLE country_link (country_id integer, media_id integer, media_type TEXT)', 'version': 'CREATE TABLE version (idVersion integer, iCompressCount integer)', 'art': 'CREATE TABLE art(art_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, type TEXT, url TEXT)', 'actor': 'CREATE TABLE actor ( actor_id INTEGER PRIMARY KEY, name TEXT, art_urls TEXT )', 'country': 'CREATE TABLE country ( country_id integer primary key, name TEXT)', 'genre_link': 'CREATE TABLE genre_link (genre_id integer, media_id integer, media_type TEXT)', 'rating': 'CREATE TABLE rating (rating_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, rating_type TEXT, rating FLOAT, votes INTEGER)', 'stacktimes': 'CREATE TABLE stacktimes (idFile integer, times text)', 'director_link': 'CREATE TABLE director_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)'}]

class plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData

Bases: plaso.containers.events.EventData

Kodi event data.

filename

str – video filename.

play_count

int – number of times the video has been played.

DATA_TYPE = 'kodi:videos:viewing'

plaso.parsers.sqlite_plugins.ls_quarantine module

Plugin for the MacOS launch services quarantine events.

class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData

Bases: plaso.containers.events.EventData

MacOS launch services quarantine event data.

data

bytes – data.

url

str – original URL of the file.

user_agent

str – user agent that was used to download the file.

DATA_TYPE = 'macosx:lsquarantine'

class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parses the launch services quarantine events database.

The LS quarantine events are stored in SQLite database files named /Users/<username>/Library/Preferences/

QuarantineEvents.com.apple.LaunchServices

DESCRIPTION = 'Parser for LS quarantine events SQLite database files.'

NAME = 'ls_quarantine'

ParseLSQuarantineRow(parser_mediator, query, row, **unused_kwargs)

Parses a launch services quarantine event row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT LSQuarantineTimestamp AS Time, LSQuarantineAgentName AS Agent, LSQuarantineOriginURLString AS URL, LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ORDER BY Time', 'ParseLSQuarantineRow')]

REQUIRED_TABLES = frozenset({'LSQuarantineEvent'})

SCHEMAS = [{'LSQuarantineEvent': 'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, LSQuarantineOriginAlias BLOB )'}]

plaso.parsers.sqlite_plugins.mac_document_versions module

Parser for the MacOS Document Versions files.

class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventData

Bases: plaso.containers.events.EventData

MacOS Document Versions database event data.

name

str – name of the original file.

path

str – path from the original file.

version_path

str – path to the version copy of the original file.

last_time

str – the system user ID of the user that opened the file.

user_sid

str – identification user ID that open the file.

DATA_TYPE = 'mac:document_versions:file'

class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse the MacOS Document Versions SQLite database..

DESCRIPTION = 'Parser for document revisions SQLite database files.'

DocumentVersionsRow(parser_mediator, query, row, **unused_kwargs)

Parses a document versions row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

NAME = 'mac_document_versions'

QUERIES = [('SELECT f.file_name AS name, f.file_path AS path, f.file_last_seen AS last_time, g.generation_path AS version_path, g.generation_add_time AS version_time FROM files f, generations g WHERE f.file_storage_id = g.generation_storage_id;', 'DocumentVersionsRow')]

REQUIRED_TABLES = frozenset({'generations', 'files'})

ROOT_VERSION_PATH = '/.DocumentRevisions-V100/'

SCHEMAS = [{'generations': 'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)', 'files': 'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)', 'storage': 'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1)'}]

plaso.parsers.sqlite_plugins.mac_notificationcenter module

This file contains a parser for the Notification Center database on MacOS.

Notification Center events on MacOS are stored in a SQLite database file named “db”, path is usually something like /private/var/folders/<W><d>/../0/com.apple.notificationcenter/db2/

At the moment it takes into consideration only the main table, ‘record’. Documentation of the behavior of each table still work in progress, current tables and supposed related content is the following:

Record: contains historical records Requests: contain pending requests Delivered: delivered requests Displayed: displayed requests, by app_id Snoozed: snoozed by user requests

class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventData

Bases: plaso.containers.events.EventData

MacOS NotificationCenter database event data

body

str – body of the notification message

bundle_name

str – name of the application’s bundle that generated the notification.

presented

int – either 1 or 0 if the notification has been shown to the user.

subtitle

str – optional. Subtitle of the notification message.

title

str – title of the message. Usually the name of the application that generated the notification. Occasionally the name of the sender of the notification for example, in case of chat messages.

DATA_TYPE = 'mac:notificationcenter:db'

class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse the MacOS Notification Center SQLite database

DESCRIPTION = 'Parser for the Notification Center SQLite database'

NAME = 'mac_notificationcenter'

ParseNotificationcenterRow(parser_mediator, query, row, **unused_kwargs)

Parses a message row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT a.identifier AS bundle_name, r.data AS dataBlob, r.delivered_date AS timestamp,r.presented AS presented FROM app a, record r WHERE a.app_id = r.app_id', 'ParseNotificationcenterRow')]

REQUIRED_TABLES = frozenset({'record', 'app'})

SCHEMAS = [{'requests': 'CREATE TABLE requests (app_id INTEGER PRIMARY KEY, list BLOB)', 'record': 'CREATE TABLE record (rec_id INTEGER PRIMARY KEY, app_id INTEGER, uuid BLOB, data BLOB, request_date REAL, request_last_date REAL, delivered_date REAL, presented Bool, style INTEGER, snooze_fire_date REAL)', 'dbinfo': 'CREATE TABLE dbinfo (key VARCHAR, value VARCHAR)', 'displayed': 'CREATE TABLE displayed (app_id INTEGER PRIMARY KEY, list BLOB)', 'delivered': 'CREATE TABLE delivered (app_id INTEGER PRIMARY KEY, list BLOB)', 'snoozed': 'CREATE TABLE snoozed (app_id INTEGER PRIMARY KEY, list BLOB)', 'app': 'CREATE TABLE app (app_id INTEGER PRIMARY KEY, identifier VARCHAR)'}]

plaso.parsers.sqlite_plugins.mackeeper_cache module

This file contains a parser for the MacOS MacKeeper cache database.

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData

Bases: plaso.containers.events.EventData

MacKeeper Cache event data.

description

str – description.

event_type

str – event type.

record_id

int – record identifier.

room

str – room.

text

str – text.

url

str – URL.

user_name

str – user name.

user_sid

str – user security identifier (SID).

DATA_TYPE = 'mackeeper:cache'

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Plugin for the MacKeeper Cache database file.

DESCRIPTION = 'Parser for MacKeeper Cache SQLite database files.'

NAME = 'mackeeper_cache'

ParseReceiverData(parser_mediator, query, row, **unused_kwargs)

Parses a single row from the receiver and cache response table.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT d.entry_ID AS id, d.receiver_data AS data, r.request_key, r.time_stamp AS time_string FROM cfurl_cache_receiver_data d, cfurl_cache_response r WHERE r.entry_ID = d.entry_ID', 'ParseReceiverData')]

REQUIRED_TABLES = frozenset({'cfurl_cache_receiver_data', 'cfurl_cache_blob_data', 'cfurl_cache_response'})

SCHEMAS = [{'cfurl_cache_receiver_data': 'CREATE TABLE cfurl_cache_receiver_data(entry_ID INTEGER PRIMARY KEY, receiver_data BLOB)', 'cfurl_cache_blob_data': 'CREATE TABLE cfurl_cache_blob_data(entry_ID INTEGER PRIMARY KEY, response_object BLOB, request_object BLOB, proto_props BLOB, user_info BLOB)', 'cfurl_cache_response': 'CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, version INTEGER, hash_value INTEGER, storage_policy INTEGER, request_key TEXT UNIQUE, time_stamp NOT NULL DEFAULT CURRENT_TIMESTAMP, partition TEXT)', 'cfurl_cache_schema_version': 'CREATE TABLE cfurl_cache_schema_version(schema_version INTEGER)'}]

plaso.parsers.sqlite_plugins.safari module

Parser for the Safari History files.

The Safari History is stored in SQLite database files named History.db

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData

Bases: plaso.containers.events.EventData

Safari history event data.

host

str – hostname of the server.

title

str – title of the webpage visited.

url

str – URL visited.

visit_count

int – number of times the website was visited.

was_http_non_get

bool – True if the webpage was visited using a non-GET HTTP request.

DATA_TYPE = 'safari:history:visit_sqlite'

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse Safari History Files.

Safari history file is stored in a SQLite database file named History.db

DESCRIPTION = 'Parser for Safari history SQLite database files.'

NAME = 'safari_history'

ParsePageVisitRow(parser_mediator, query, row, **unused_kwargs)

Parses a visited row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT history_items.id, history_items.url, history_items.visit_count, history_visits.id AS visit_id, history_visits.history_item,history_visits.visit_time, history_visits.redirect_destination, history_visits.title, history_visits.http_non_get, history_visits.redirect_source FROM history_items, history_visits WHERE history_items.id = history_visits.history_item ORDER BY history_visits.visit_time', 'ParsePageVisitRow')]

REQUIRED_TABLES = frozenset({'history_visits', 'history_items'})

SCHEMAS = [{'history_client_versions': 'CREATE TABLE history_client_versions (client_version INTEGER PRIMARY KEY,last_seen REAL NOT NULL)', 'history_items': 'CREATE TABLE history_items (id INTEGER PRIMARY KEY AUTOINCREMENT,url TEXT NOT NULL UNIQUE,domain_expansion TEXT NULL,visit_count INTEGER NOT NULL,daily_visit_counts BLOB NOT NULL,weekly_visit_counts BLOB NULL,autocomplete_triggers BLOB NULL,should_recompute_derived_visit_counts INTEGER NOT NULL,visit_count_score INTEGER NOT NULL)', 'history_visits': 'CREATE TABLE history_visits (id INTEGER PRIMARY KEY AUTOINCREMENT,history_item INTEGER NOT NULL REFERENCES history_items(id) ON DELETE CASCADE,visit_time REAL NOT NULL,title TEXT NULL,load_successful BOOLEAN NOT NULL DEFAULT 1,http_non_get BOOLEAN NOT NULL DEFAULT 0,synthesized BOOLEAN NOT NULL DEFAULT 0,redirect_source INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,redirect_destination INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,origin INTEGER NOT NULL DEFAULT 0,generation INTEGER NOT NULL DEFAULT 0,attributes INTEGER NOT NULL DEFAULT 0,score INTEGER NOT NULL DEFAULT 0)', 'history_events': 'CREATE TABLE history_events (id INTEGER PRIMARY KEY AUTOINCREMENT,event_type TEXT NOT NULL,event_time REAL NOT NULL,pending_listeners TEXT NOT NULL,value BLOB)', 'history_event_listeners': 'CREATE TABLE history_event_listeners (listener_name TEXT PRIMARY KEY NOT NULL UNIQUE,last_seen REAL NOT NULL)', 'metadata': 'CREATE TABLE metadata (key TEXT NOT NULL UNIQUE, value)', 'history_tombstones': 'CREATE TABLE history_tombstones (id INTEGER PRIMARY KEY AUTOINCREMENT,start_time REAL NOT NULL,end_time REAL NOT NULL,url TEXT,generation INTEGER NOT NULL DEFAULT 0)'}]

plaso.parsers.sqlite_plugins.skype module

This file contains a basic Skype SQLite parser.

class plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData

Bases: plaso.containers.events.EventData

Skype account event data.

country

str – home country of the account holder.

display_name

str – display name of the account holder.

email

str – registered email address of the account holder.

username

str – full name of the Skype account holder and display name.

DATA_TYPE = 'skype:event:account'

class plaso.parsers.sqlite_plugins.skype.SkypeCallEventData

Bases: plaso.containers.events.EventData

Skype call event data.

call_type

str – call type, such as: WAITING, STARTED, FINISHED.

dst_call

str – account which received the call.

src_call

str – account which started the call.

user_start_call

bool – True if the owner account started the call.

video_conference

bool – True if the call was a video conference.

DATA_TYPE = 'skype:event:call'

class plaso.parsers.sqlite_plugins.skype.SkypeChatEventData

Bases: plaso.containers.events.EventData

Skype chat event data.

from_account

str – from display name and the author.

text

str – body XML.

title

str – title.

to_account

str – accounts, excluding the author, of the conversation.

DATA_TYPE = 'skype:event:chat'

class plaso.parsers.sqlite_plugins.skype.SkypePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for Skype main.db SQlite database file.

DESCRIPTION = 'Parser for Skype SQLite database files.'

NAME = 'skype'

ParseAccountInformation(parser_mediator, query, row, **unused_kwargs)

Parses account information.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row with account information.

ParseCall(parser_mediator, query, row, **unused_kwargs)

Parses a call.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (Optional[str]) – query that created the row.
• row (sqlite3.Row) – row resulting from query.
• query – query.

ParseChat(parser_mediator, query, row, **unused_kwargs)

Parses a chat message.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseFileTransfer(parser_mediator, query, row, cache=None, database=None, **unused_kwargs)

Parses a file transfer.

There is no direct relationship between who sends the file and who accepts the file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.
• cache (Optional[SQLiteCache]) – cache.
• database (Optional[SQLiteDatabase]) – database.

ParseSMS(parser_mediator, query, row, **unused_kwargs)

Parses an SMS.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT c.id, c.participants, c.friendlyname AS title, m.author AS author, m.from_dispname AS from_displayname, m.body_xml, m.timestamp, c.dialog_partner FROM Chats c, Messages m WHERE c.name = m.chatname', 'ParseChat'), ('SELECT id, fullname, given_displayname, emails, country, profile_timestamp, authreq_timestamp, lastonline_timestamp, mood_timestamp, sent_authrequest_time, lastused_timestamp FROM Accounts', 'ParseAccountInformation'), ('SELECT id, target_numbers AS dstnum_sms, timestamp AS time_sms, body AS msg_sms FROM SMSes', 'ParseSMS'), ('SELECT id, partner_handle, partner_dispname, offer_send_list, starttime, accepttime, finishtime, filepath, filename, filesize, status, parent_id, pk_id FROM Transfers', 'ParseFileTransfer'), ('SELECT c.id, cm.guid, c.is_incoming, cm.call_db_id, cm.videostatus, c.begin_timestamp AS try_call, cm.start_timestamp AS accept_call, cm.call_duration FROM Calls c, CallMembers cm WHERE c.id = cm.call_db_id;', 'ParseCall')]

QUERY_DEST_FROM_TRANSFER = 'SELECT parent_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'

QUERY_SOURCE_FROM_TRANSFER = 'SELECT pk_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'

REQUIRED_TABLES = frozenset({'Accounts', 'Chats', 'Calls', 'Transfers', 'CallMembers', 'Contacts', 'SMSes', 'Conversations'})

SCHEMAS = [{'Accounts': 'CREATE TABLE Accounts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, pwdchangestatus INTEGER, logoutreason INTEGER, commitstatus INTEGER, suggested_skypename TEXT, skypeout_balance_currency TEXT, skypeout_balance INTEGER, skypeout_precision INTEGER, skypein_numbers TEXT, subscriptions TEXT, cblsyncstatus INTEGER, offline_callforward TEXT, chat_policy INTEGER, skype_call_policy INTEGER, pstn_call_policy INTEGER, avatar_policy INTEGER, buddycount_policy INTEGER, timezone_policy INTEGER, webpresence_policy INTEGER, phonenumbers_policy INTEGER, voicemail_policy INTEGER, authrequest_policy INTEGER, ad_policy INTEGER, partner_optedout TEXT, service_provider_info TEXT, registration_timestamp INTEGER, nr_of_other_instances INTEGER, partner_channel_status TEXT, flamingo_xmpp_status INTEGER, federated_presence_policy INTEGER, liveid_membername TEXT, roaming_history_enabled INTEGER, cobrand_id INTEGER, owner_under_legal_age INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, homepage TEXT, about TEXT, profile_timestamp INTEGER, received_authrequest TEXT, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, aliases TEXT, authreq_timestamp INTEGER, mood_text TEXT, timezone INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, given_displayname TEXT, availability INTEGER, lastonline_timestamp INTEGER, capabilities BLOB, avatar_image BLOB, assigned_speeddial TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_comment TEXT, alertstring TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, rich_mood_text TEXT, synced_email BLOB, set_availability INTEGER, options_change_future BLOB, cbl_profile_blob BLOB, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, node_capabilities_and INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, verified_email BLOB, verified_company BLOB, uses_jcs INTEGER)', 'Calls': 'CREATE TABLE Calls (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, begin_timestamp INTEGER, topic TEXT, is_muted INTEGER, is_unseen_missed INTEGER, host_identity TEXT, mike_status INTEGER, duration INTEGER, soundlevel INTEGER, access_token TEXT, active_members INTEGER, is_active INTEGER, name TEXT, video_disabled INTEGER, joined_existing INTEGER, server_identity TEXT, vaa_input_status INTEGER, is_incoming INTEGER, is_conference INTEGER, is_on_hold INTEGER, start_timestamp INTEGER, quality_problems TEXT, current_video_audience TEXT, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, is_premium_video_sponsor INTEGER, premium_video_sponsor_list TEXT, old_members BLOB, partner_handle TEXT, partner_dispname TEXT, type INTEGER, status INTEGER, failurereason INTEGER, failurecode INTEGER, pstn_number TEXT, old_duration INTEGER, conf_participants BLOB, pstn_status TEXT, members BLOB, conv_dbid INTEGER)', 'LegacyMessages': 'CREATE TABLE LegacyMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER)', 'Messages': 'CREATE TABLE Messages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, chatname TEXT, author TEXT, from_dispname TEXT, author_was_live INTEGER, guid BLOB, dialog_partner TEXT, timestamp INTEGER, type INTEGER, sending_status INTEGER, consumption_status INTEGER, edited_by TEXT, edited_timestamp INTEGER, param_key INTEGER, param_value INTEGER, body_xml TEXT, identities TEXT, reason TEXT, leavereason INTEGER, participant_count INTEGER, error_code INTEGER, chatmsg_type INTEGER, chatmsg_status INTEGER, body_is_rawxml INTEGER, oldoptions INTEGER, newoptions INTEGER, newrole INTEGER, pk_id INTEGER, crc INTEGER, remote_id INTEGER, call_guid TEXT, extprop_contact_review_date TEXT, extprop_contact_received_stamp INTEGER, extprop_contact_reviewed INTEGER)', 'Voicemails': 'CREATE TABLE Voicemails (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, subject TEXT, timestamp INTEGER, duration INTEGER, allowed_duration INTEGER, playback_progress INTEGER, convo_id INTEGER, chatmsg_guid BLOB, notification_id INTEGER, flags INTEGER, size INTEGER, path TEXT, failures INTEGER, vflags INTEGER, xmsg TEXT, extprop_hide_from_history INTEGER)', 'DbMeta': 'CREATE TABLE DbMeta (key TEXT NOT NULL PRIMARY KEY, value TEXT)', 'AppSchemaVersion': 'CREATE TABLE AppSchemaVersion (ClientVersion TEXT NOT NULL, SQLiteSchemaVersion INTEGER NOT NULL, SchemaUpdateType INTEGER NOT NULL)', 'Alerts': 'CREATE TABLE Alerts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, timestamp INTEGER, partner_name TEXT, is_unseen INTEGER, partner_id INTEGER, partner_event TEXT, partner_history TEXT, partner_header TEXT, partner_logo TEXT, meta_expiry INTEGER, message_header_caption TEXT, message_header_title TEXT, message_header_subject TEXT, message_header_cancel TEXT, message_header_later TEXT, message_content TEXT, message_footer TEXT, message_button_caption TEXT, message_button_uri TEXT, message_type INTEGER, window_size INTEGER, chatmsg_guid BLOB, notification_id INTEGER, event_flags INTEGER, extprop_hide_from_history INTEGER)', 'Transfers': 'CREATE TABLE Transfers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, starttime INTEGER, finishtime INTEGER, filepath TEXT, filename TEXT, filesize TEXT, bytestransferred TEXT, bytespersecond INTEGER, chatmsg_guid BLOB, chatmsg_index INTEGER, convo_id INTEGER, pk_id INTEGER, nodeid BLOB, last_activity INTEGER, flags INTEGER, old_status INTEGER, old_filepath INTEGER, accepttime INTEGER, parent_id INTEGER, offer_send_list TEXT, extprop_localfilename TEXT, extprop_hide_from_history INTEGER, extprop_window_visible INTEGER, extprop_handled_by_chat INTEGER)', 'SMSes': 'CREATE TABLE SMSes (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, outgoing_reply_type INTEGER, status INTEGER, failurereason INTEGER, is_failed_unseen INTEGER, timestamp INTEGER, price INTEGER, price_precision INTEGER, price_currency TEXT, reply_to_number TEXT, target_numbers TEXT, target_statuses BLOB, body TEXT, chatmsg_id INTEGER, identity TEXT, notification_id INTEGER, event_flags INTEGER, reply_id_number TEXT, convo_name TEXT, extprop_hide_from_history INTEGER, extprop_extended INTEGER)', 'ChatMembers': 'CREATE TABLE ChatMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, chatname TEXT, identity TEXT, role INTEGER, is_active INTEGER, cur_activities INTEGER, adder TEXT)', 'CallMembers': 'CREATE TABLE CallMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, dispname TEXT, languages TEXT, call_duration INTEGER, price_per_minute INTEGER, price_precision INTEGER, price_currency TEXT, payment_category TEXT, type INTEGER, status INTEGER, failurereason INTEGER, sounderror_code INTEGER, soundlevel INTEGER, pstn_statustext TEXT, pstn_feedback TEXT, forward_targets TEXT, forwarded_by TEXT, debuginfo TEXT, videostatus INTEGER, target_identity TEXT, mike_status INTEGER, is_read_only INTEGER, quality_status INTEGER, call_name TEXT, transfer_status INTEGER, transfer_active INTEGER, transferred_by TEXT, transferred_to TEXT, guid TEXT, next_redial_time INTEGER, nrof_redials_done INTEGER, nrof_redials_left INTEGER, transfer_topic TEXT, real_identity TEXT, start_timestamp INTEGER, is_conference INTEGER, quality_problems TEXT, identity_type INTEGER, country TEXT, creation_timestamp INTEGER, stats_xml TEXT, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, recovery_in_progress INTEGER, nonse_word TEXT, nr_of_delivered_push_notifications INTEGER, call_session_guid TEXT, version_string TEXT, pk_status INTEGER, call_db_id INTEGER, prime_status INTEGER)', 'Contacts': 'CREATE TABLE Contacts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, aliases TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, hashed_emails TEXT, homepage TEXT, about TEXT, avatar_image BLOB, mood_text TEXT, rich_mood_text TEXT, timezone INTEGER, capabilities BLOB, profile_timestamp INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, received_authrequest TEXT, authreq_timestamp INTEGER, lastonline_timestamp INTEGER, availability INTEGER, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, given_displayname TEXT, assigned_speeddial TEXT, assigned_comment TEXT, alertstring TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_phone1 TEXT, assigned_phone1_label TEXT, assigned_phone2 TEXT, assigned_phone2_label TEXT, assigned_phone3 TEXT, assigned_phone3_label TEXT, buddystatus INTEGER, isauthorized INTEGER, popularity_ord INTEGER, external_id TEXT, external_system_id TEXT, isblocked INTEGER, authorization_certificate BLOB, certificate_send_count INTEGER, account_modification_serial_nr INTEGER, saved_directory_blob BLOB, nr_of_buddies INTEGER, server_synced INTEGER, contactlist_track INTEGER, last_used_networktime INTEGER, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, node_capabilities_and INTEGER, authreq_crc INTEGER, authreq_src INTEGER, pop_score INTEGER, authreq_nodeinfo BLOB, main_phone TEXT, unified_servants TEXT, phone_home_normalized TEXT, phone_office_normalized TEXT, phone_mobile_normalized TEXT, sent_authrequest_initmethod INTEGER, authreq_initmethod INTEGER, verified_email BLOB, verified_company BLOB, sent_authrequest_extrasbitmask INTEGER, liveid_cid TEXT, extprop_seen_birthday INTEGER, extprop_sms_target INTEGER, extprop_external_data TEXT, extprop_must_hide_avatar INTEGER)', 'Videos': 'CREATE TABLE Videos (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, error TEXT, debuginfo TEXT, dimensions TEXT, media_type INTEGER, duration_1080 INTEGER, duration_720 INTEGER, duration_hqv INTEGER, duration_vgad2 INTEGER, duration_ltvgad2 INTEGER, timestamp INTEGER, hq_present INTEGER, duration_ss INTEGER, ss_timestamp INTEGER, convo_id INTEGER, device_path TEXT)', 'ContactGroups': 'CREATE TABLE ContactGroups (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, custom_group_id INTEGER, given_displayname TEXT, nrofcontacts INTEGER, nrofcontacts_online INTEGER, given_sortorder INTEGER, type_old INTEGER, proposer TEXT, description TEXT, associated_chat TEXT, members TEXT, cbl_id INTEGER, cbl_blob BLOB, fixed INTEGER, keep_sharedgroup_contacts INTEGER, chats TEXT, extprop_is_hidden INTEGER, extprop_sortorder_value INTEGER, extprop_is_expanded INTEGER)', 'Conversations': 'CREATE TABLE Conversations (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, type INTEGER, live_host TEXT, live_start_timestamp INTEGER, live_is_muted INTEGER, alert_string TEXT, is_bookmarked INTEGER, given_displayname TEXT, displayname TEXT, local_livestatus INTEGER, inbox_timestamp INTEGER, inbox_message_id INTEGER, unconsumed_suppressed_messages INTEGER, unconsumed_normal_messages INTEGER, unconsumed_elevated_messages INTEGER, unconsumed_messages_voice INTEGER, active_vm_id INTEGER, context_horizon INTEGER, consumption_horizon INTEGER, last_activity_timestamp INTEGER, active_invoice_message INTEGER, spawned_from_convo_id INTEGER, pinned_order INTEGER, creator TEXT, creation_timestamp INTEGER, my_status INTEGER, opt_joining_enabled INTEGER, opt_access_token TEXT, opt_entry_level_rank INTEGER, opt_disclose_history INTEGER, opt_history_limit_in_days INTEGER, opt_admin_only_activities INTEGER, passwordhint TEXT, meta_name TEXT, meta_topic TEXT, meta_guidelines TEXT, meta_picture BLOB, picture TEXT, is_p2p_migrated INTEGER, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, guid TEXT, dialog_partner TEXT, meta_description TEXT, premium_video_sponsor_list TEXT, mcr_caller TEXT, chat_dbid INTEGER, history_horizon INTEGER, history_sync_state TEXT, thread_version TEXT, consumption_horizon_set_at INTEGER, alt_identity TEXT, extprop_profile_height INTEGER, extprop_chat_width INTEGER, extprop_chat_left_margin INTEGER, extprop_chat_right_margin INTEGER, extprop_entry_height INTEGER, extprop_windowpos_x INTEGER, extprop_windowpos_y INTEGER, extprop_windowpos_w INTEGER, extprop_windowpos_h INTEGER, extprop_window_maximized INTEGER, extprop_window_detached INTEGER, extprop_pinned_order INTEGER, extprop_new_in_inbox INTEGER, extprop_tab_order INTEGER, extprop_video_layout INTEGER, extprop_video_chat_height INTEGER, extprop_chat_avatar INTEGER, extprop_consumption_timestamp INTEGER, extprop_form_visible INTEGER, extprop_recovery_mode INTEGER)', 'Participants': 'CREATE TABLE Participants (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, identity TEXT, rank INTEGER, requested_rank INTEGER, text_status INTEGER, voice_status INTEGER, video_status INTEGER, live_identity TEXT, live_price_for_me TEXT, live_fwd_identities TEXT, live_start_timestamp INTEGER, sound_level INTEGER, debuginfo TEXT, next_redial_time INTEGER, nrof_redials_left INTEGER, last_voice_error TEXT, quality_problems TEXT, live_type INTEGER, live_country TEXT, transferred_by TEXT, transferred_to TEXT, adder TEXT, last_leavereason INTEGER, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, live_identity_to_use TEXT, livesession_recovery_in_progress INTEGER, is_multiparty_video_updatable INTEGER, real_identity TEXT, extprop_default_identity INTEGER)', 'VideoMessages': 'CREATE TABLE VideoMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, qik_id BLOB, attached_msg_ids TEXT, sharing_id TEXT, status INTEGER, vod_status INTEGER, vod_path TEXT, local_path TEXT, public_link TEXT, progress INTEGER, title TEXT, description TEXT, author TEXT, creation_timestamp INTEGER)', 'Chats': 'CREATE TABLE Chats (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, name TEXT, options INTEGER, friendlyname TEXT, description TEXT, timestamp INTEGER, activity_timestamp INTEGER, dialog_partner TEXT, adder TEXT, type INTEGER, mystatus INTEGER, myrole INTEGER, posters TEXT, participants TEXT, applicants TEXT, banned_users TEXT, name_text TEXT, topic TEXT, topic_xml TEXT, guidelines TEXT, picture BLOB, alertstring TEXT, is_bookmarked INTEGER, passwordhint TEXT, unconsumed_suppressed_msg INTEGER, unconsumed_normal_msg INTEGER, unconsumed_elevated_msg INTEGER, unconsumed_msg_voice INTEGER, activemembers TEXT, state_data BLOB, lifesigns INTEGER, last_change INTEGER, first_unread_message INTEGER, pk_type INTEGER, dbpath TEXT, split_friendlyname TEXT, conv_dbid INTEGER)'}]

class plaso.parsers.sqlite_plugins.skype.SkypeSMSEventData

Bases: plaso.containers.events.EventData

Skype SMS event data.

number

str – phone number where the SMS was sent.

text

str – text (SMS body) that was sent.

DATA_TYPE = 'skype:event:sms'

class plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventData

Bases: plaso.containers.events.EventData

Skype file transfer event data.

action_type

str – action type e.g. GETSOLICITUDE, SENDSOLICITUDE, ACCEPTED, FINISHED.

destination

str – account that received the file.

source

str – account that sent the file.

transferred_filename

str – name of the file transferred.

transferred_filepath

str – path of the file transferred.

transferred_filesize

int – size of the file transferred.

DATA_TYPE = 'skype:event:transferfile'

plaso.parsers.sqlite_plugins.tango_android module

Parser for Tango on Android databases.

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData

Bases: plaso.containers.events.EventData

Tango on Android contact event data.

first_name

str – contact profile first name.

last_name

str – contact profile last name.

birthday

str – contact profile birthday.

gender

str – contact profile gender.

status

str – contact status message.

distance

int – contact profile distance.

is_friend

bool – True if the contact is considered a friend.

friend_request_type

str – flag indicating the type of friend request sent for example outRequest for request sent or noRequest for no request.

friend_request_message

str – message sent on friend request.

DATA_TYPE = 'tango:android:contact'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventData

Bases: plaso.containers.events.EventData

Tango on Android conversation event data.

conversation_identifier

int – conversation identifier.

DATA_TYPE = 'tango:android:conversation'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventData

Bases: plaso.containers.events.EventData

Tango on Android message event data.

message_identifier

int – message identifier.

direction

int – flag indicating direction of the message.

DATA_TYPE = 'tango:android:message'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Tango on Android profile database.

DESCRIPTION = 'Parser for Tango on Android profile database.'

NAME = 'tango_android_profile'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)

Parses a contact row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT itemLastActiveTime AS last_active_time, itemLastLocalAccessTime AS last_access_time, itemFriendRequestTime AS friend_request_time, itemFirstName AS first_name, itemLastName AS last_name, itemBirthday AS birthday, itemGender AS gender, itemStatus AS status, itemDistance AS distance, itemIsFriend AS friend, itemFriendRequestType AS friend_request_type, itemFriendRequestMessage AS friend_request_message FROM profiletable', 'ParseContactRow')]

REQUIRED_TABLES = frozenset({'profiletable', 'profiles'})

SCHEMAS = [{'profiletable': 'CREATE TABLE `profiletable` (`itemUserId` TEXT PRIMARY KEY, `itemFirstName` TEXT NOT NULL, `itemLastName` TEXT NOT NULL, `itemBirthday` TEXT NOT NULL, `itemGender` TEXT NOT NULL, `itemStatus` TEXT NOT NULL, `itemLastActiveTime` BIGINT NOT NULL, `itemDistance` DOUBLE NOT NULL, `itemCity` TEXT NOT NULL, `itemGeoCountryCode` TEXT NOT NULL, `itemAvatarUrl` TEXT NOT NULL, `itemThumbnailUrl` TEXT NOT NULL, `itemVideoUrl` TEXT NOT NULL, `itemVideoThumbnailUrl` TEXT NOT NULL, `itemBackgroundUrl` TEXT NOT NULL, `itemIsFriend` INTEGER NOT NULL, `itemIsBlocked` INTEGER NOT NULL, `itemFriendRequestType` TEXT NOT NULL, `itemReverseRelationships` TEXT NOT NULL, `itemFavoriterCount` INTEGER NOT NULL, `itemFavoritingCount` INTEGER NOT NULL, `itemFeedCount` INTEGER NOT NULL, `itemRefereneCount` INTEGER NOT NULL, `itemLevel1DataSyncTime` BIGINT NOT NULL, `itemLevel2DataSyncTime` BIGINT NOT NULL, `itemLevel3DataSyncTime` BIGINT NOT NULL, `itemLevel4DataSyncTime` BIGINT NOT NULL, `itemLevel5DataSyncTime` BIGINT NOT NULL, `itemLastLocalAccessTime` BIGINT NOT NULL, `itemFriendRequestId` TEXT NOT NULL, `itemFriendRequestMessage` TEXT NOT NULL, `itemFriendRequestTime` BIGINT NOT NULL, `itemIsNewFriendRequest` INTEGER NOT NULL, `itemFriendRequestTCMessageId` INTEGER NOT NULL, `itemFriendRequestContext` TEXT NOT NULL, `itemFriendRequestAttachedPostType` INTEGER NOT NULL, `itemFriendRequestAttachedPostContent` TEXT NOT NULL, `itemFriendRequestHasBeenForwardedToTc` INTEGER NOT NULL, `itemProfileType` TEXT NOT NULL, `itemDatingAge` INTEGER NOT NULL, `itemDatingLocationString` TEXT NOT NULL, `itemDatingSeekingString` TEXT NOT NULL, `itemDatingEssayText` TEXT NOT NULL, `itemDatingBodyType` TEXT NOT NULL, `itemDatingLastActive` TEXT NOT NULL, `itemDatingProfileUrl` TEXT NOT NULL, `itemLastTimeOfLikeProfile` BIGINT NOT NULL, `itemIsHidden` INTEGER NOT NULL, `itemPrivacy` INTEGER NOT NULL, `itemCanSeeMyPost` INTEGER NOT NULL, `itemCanShareMyPost` INTEGER NOT NULL, `itemCanContactMe` INTEGER NOT NULL)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)'}]

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Tango on Android tc database.

DESCRIPTION = 'Parser for Tango on Android tc database.'

NAME = 'tango_android_tc'

ParseConversationRow(parser_mediator, query, row, **unused_kwargs)

Parses a conversation row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)

Parses a message row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT conversations.conv_id AS conv_id, conversations.payload AS payload FROM conversations', 'ParseConversationRow'), ('SELECT messages.create_time AS create_time, messages.send_time AS send_time, messages.msg_id AS msg_id, messages.payload AS payload, messages.direction AS direction FROM messages LEFT JOIN likes ON messages.msg_id = likes.msg_id', 'ParseMessageRow')]

REQUIRED_TABLES = frozenset({'conversations', 'sms', 'likes', 'messages', 'games', 'profiles', 'receipts'})

SCHEMAS = [{'conversations': 'CREATE TABLE `conversations` (`conv_id` TEXT PRIMARY KEY, `conv_type` INTEGER DEFAULT 0, `payload` BLOB, `last_msg_id` INTEGER, `unread_count` INTEGER, `last_read_sent_msg_id` INTEGER, `conv_del_status` INTEGER DEFAULT 0, `deleting_ts` BIGINT DEFAULT 0, `conv_restore_status` INTEGER DEFAULT 0, `peers_read` TEXT, `total_received_msg_count` INTEGER DEFAULT -1, `communication_context` INTEGER DEFAULT 0)', 'games': 'CREATE TABLE `games` (`game_session_id` TEXT PRIMARY KEY, `message_id` INTEGER, `conversation_id` TEXT, `game_id` TEXT, `game_state` INTEGER, `action_timestamp` BIGINT, `current_player_account_id` TEXT)', 'likes': 'CREATE TABLE `likes` (`msg_id` INTEGER PRIMARY KEY, `global_msg_id` TEXT, `conv_id` TEXT, `liker_aid` TEXT, `act_type` INTEGER, `status` INTEGER, `act_ts` BIGINT, `payload` BLOB)', 'messages': 'CREATE TABLE `messages` (`msg_id` INTEGER PRIMARY KEY, `conv_id` TEXT, `type` INTEGER, `media_id` TEXT, `share_id` TEXT, `create_time` BIGINT, `send_time` BIGINT, `direction` INTEGER, `status` INTEGER, `payload` BLOB, `del_status` INTEGER)', 'sms': 'CREATE TABLE `sms` (`msg_id` INTEGER PRIMARY KEY, `phonenumber` TEXT, `text` TEXT)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'receipts': 'CREATE TABLE `receipts` (`conv_id` TEXT PRIMARY KEY, `msg_id` INTEGER, `sender_msg_id` INTEGER, `sender_aids` TEXT, `type` INTEGER, `create_time` BIGINT, `status` INTEGER, `payload` BLOB)'}]

plaso.parsers.sqlite_plugins.twitter_android module

Parser for Twitter on Android.

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData

Bases: plaso.containers.events.EventData

Twitter on Android contact event data.

identifier

int – contact row id.

user_identifier

int – twitter account id.

username

str – twitter account handler.

name

str – twitter account name.

description

str – twitter account profile description.

web_url

str – twitter account profile url content.

location

str – twitter account profile location content.

followers

int – number of followers.

friends

int – number of following.

statuses

int – twitter account number of tweets.

image_url

str – profile picture url.

DATA_TYPE = 'twitter:android:contact'

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser plugin for Twitter on Android.

DESCRIPTION = 'Parser for Twitter on android database'

NAME = 'twitter_android'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)

Parses a status row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseSearchRow(parser_mediator, query, row, **unused_kwargs)

Parses a search row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)

Parses a status row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT name, query, time FROM search_queries', 'ParseSearchRow'), ('SELECT statuses._id AS _id, statuses.author_id AS author_id, users.username AS username, statuses.content AS content, statuses.created AS time, statuses.favorited AS favorited, statuses.retweeted AS retweeted FROM statuses LEFT JOIN users ON statuses.author_id = users.user_id', 'ParseStatusRow'), ('SELECT _id, user_id, username, name, profile_created, description, web_url, location, followers, friends, statuses, image_url, updated, friendship_time FROM users', 'ParseContactRow')]

REQUIRED_TABLES = frozenset({'search_queries', 'statuses', 'users'})

SCHEMAS = [{'timeline': 'CREATE TABLE timeline (_id INTEGER PRIMARY KEY AUTOINCREMENT,owner_id INT,type INT,sort_index INT,entity_id INT,entity_type INT,data_type INT,data_type_group INT,data_type_tag INT,timeline_tag TEXT,timeline_group_id INT,timeline_scribe_group_id INT,data_id INT,data BLOB,flags INT,updated_at INT,data_origin_id TEXT,is_last INT,is_read INT,scribe_content BLOB,timeline_moment_info BLOB,dismissed INT NOT NULL DEFAULT 0,dismiss_actions INT NOT NULL DEFAULT 0)', 'moments_guide_user_states': 'CREATE TABLE moments_guide_user_states (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,is_read INT,is_updated INT,FOREIGN KEY(moment_id) REFERENCES moments(_id) ON DELETE CASCADE)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY,conversation_id TEXT NOT NULL,user_id TEXT NOT NULL,join_time INT NOT NULL,participant_type INT NOT NULL)', 'prompts': 'CREATE TABLE prompts (_id INTEGER PRIMARY KEY,p_id INT,p_format TEXT,p_template TEXT,p_header TEXT,p_text TEXT,p_action_text TEXT,p_action_url TEXT,p_icon TEXT,p_background_image_url TEXT,p_persistence TEXT,p_entities BLOB,p_header_entities BLOB,p_status_id LONG,p_insertion_index INT,p_trigger TEXT)', 'card_state': 'CREATE TABLE card_state (_id INTEGER PRIMARY KEY AUTOINCREMENT,card_status_id INT,card_id INT, card_state BLOB)', 'moments_sections': 'CREATE TABLE moments_sections (_id INTEGER PRIMARY KEY,section_title TEXT,section_type BLOB NOT NULL,section_group_id TEXT,section_group_type INT NOT NULL)', 'moments_guide': 'CREATE TABLE moments_guide (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,section_id INT NOT NULL,tweet_id INT NOT NULL, crop_data BLOB,media_id INT,media_url TEXT,media_size BLOB,FOREIGN KEY(section_id) REFERENCES moments_sections(_id) ON DELETE CASCADE)', 'category_timestamp': 'CREATE TABLE category_timestamp (_id INTEGER PRIMARY KEY,cat_status_id INT NOT NULL,cat_tag INT NOT NULL,cat_timestamp INT NOT NULL)', 'status_metadata': 'CREATE TABLE status_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,status_id INT NOT NULL,status_group INT NOT NULL,status_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_second_name TEXT,soc_others_count INT,soc_fav_count INT,soc_rt_count INT,reason_icon_type TEXT,reason_text TEXT,scribe_component TEXT,scribe_data BLOB,highlights TEXT)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'dismiss_info': 'CREATE TABLE dismiss_info(timeline_id INTEGER REFERENCES timeline(_id),feedback_action_id INTEGER REFERENCES feedback_action(_id),UNIQUE(timeline_id,feedback_action_id))', 'tokens': 'CREATE TABLE tokens (_id INTEGER PRIMARY KEY,text TEXT,weight INT,type INT,ref_id INT)', 'statuses': 'CREATE TABLE statuses (_id INTEGER PRIMARY KEY,status_id INT UNIQUE NOT NULL,author_id INT,content TEXT,source TEXT,created INT,in_r_user_id INT,in_r_status_id INT,favorited INT,latitude TEXT,longitude TEXT,place_data BLOB,entities TEXT,retweet_count INT,r_content TEXT,cards BLOB,flags INT,favorite_count INT,lang TEXT,supplemental_language TEXT,view_count INT,quoted_tweet_data BLOB,quoted_tweet_id INT,retweeted INT)', 'cursors': 'CREATE TABLE cursors (_id INTEGER PRIMARY KEY,kind INT,type INT,owner_id INT,ref_id TEXT,next TEXT)', 'stories': 'CREATE TABLE stories ( _id INTEGER PRIMARY KEY,story_id TEXT,story_order INT,story_type INT,story_proof_type INT,story_proof_addl_count INT,data_type INT,data_id INT,story_is_read INT,story_meta_title TEXT,story_meta_subtitle TEXT,story_meta_query TEXT,story_meta_header_img_url TEXT,story_source TEXT,story_impression_info TEXT,story_tag INT)', 'moments_guide_categories': 'CREATE TABLE moments_guide_categories (_id INTEGER PRIMARY KEY,category_id TEXT NOT NULL,is_default_category INT NOT NULL,category_name TEXT NOT NULL,fetch_timestamp INT NOT NULL)', 'search_suggestion_metadata': 'CREATE TABLE search_suggestion_metadata (_id INTEGER PRIMARY KEY,type INT,last_update LONG)', 'order_history': 'CREATE TABLE order_history (_id INTEGER PRIMARY KEY,ordered_at INT ,order_id INT ,data BLOB)', 'conversation_entries': 'CREATE TABLE conversation_entries (_id INTEGER PRIMARY KEY,entry_id INT UNIQUE NOT NULL,sort_entry_id INT UNIQUE NOT NULL,conversation_id TEXT,user_id INT,created INT,entry_type INT,data BLOB,request_id TEXT)', 'activities': 'CREATE TABLE activities (_id INTEGER PRIMARY KEY,type INT,event INT,created_at INT,hash INT,max_position INT,min_position INT,sources_size INT,source_type INT,sources BLOB,targets_size INT,target_type INT,targets BLOB,target_objects_size INT,target_object_type INT,target_objects BLOB,is_last INT,tag INT,magic_rec_id INT,UNIQUE (type, max_position) ON CONFLICT REPLACE)', 'promoted_retry': 'CREATE TABLE promoted_retry(impression_id TEXT,event INT NOT NULL,is_earned INT NOT NULL,trend_id INT,num_retries INT NOT NULL,url TEXT,video_playlist_url TEXT,video_content_uuid TEXT,video_content_type TEXT,video_cta_url TEXT,video_cta_app_id TEXT,video_cta_app_name TEXT,card_event TEXT,PRIMARY KEY(impression_id,event,is_earned,trend_id))', 'moments_pages': 'CREATE TABLE moments_pages (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,page_id TEXT,type BLOB,tweet_id INT,display_mode BLOB,page_number INT,crop_data BLOB,theme_data BLOB,media_id INT,media_size BLOB,media_url TEXT,last_read_timestamp INT,FOREIGN KEY(moment_id) REFERENCES moments(_id))', 'users': 'CREATE TABLE users (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,username TEXT,name TEXT,description TEXT,web_url TEXT,bg_color INT,location TEXT,structured_location BLOB,user_flags INT,followers INT,fast_followers INT DEFAULT 0,friends INT,statuses INT,profile_created INT,image_url TEXT,hash INT,updated INT,friendship INT,friendship_time INT,favorites INT DEFAULT 0,header_url TEXT,description_entities BLOB,url_entities BLOB,media_count INT,extended_profile_fields BLOB,pinned_tweet_id INT,link_color INT,advertiser_type TEXT,business_profile_state TEXT)', 'status_groups': 'CREATE TABLE status_groups (_id INTEGER PRIMARY KEY,tweet_type INT DEFAULT 0,type INT,sender_id INT,owner_id INT,ref_id INT,tag INT,g_status_id INT,is_read INT,page INT,is_last INT,updated_at INT,timeline INT,pc BLOB,g_flags INT,preview_draft_id INT,preview_media BLOB,tweet_pivots BLOB)', 'clusters': 'CREATE TABLE clusters (_id INTEGER PRIMARY KEY,cl_cluster_id TEXT UNIQUE NOT NULL,cl_type INT,cl_title TEXT,cl_subtitle TEXT,cl_size INT,cl_timestamp INT,cl_content BLOB)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY,conversation_id TEXT UNIQUE NOT NULL,title TEXT,avatar_url TEXT,type INT,sort_event_id BIGINT,last_readable_event_id BIGINT,last_read_event_id BIGINT,sort_timestamp BIGINT,is_muted INT,min_event_id BIGINT,is_hidden INT,has_more INT,read_only INT)', 'ads_account_permissions': 'CREATE TABLE ads_account_permissions (_id INTEGER PRIMARY KEY,promotable_users BLOB,last_synced INT NOT NULL)', 'business_profiles': 'CREATE TABLE business_profiles (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,business_profile BLOB,last_synced INT NOT NULL)', 'user_groups': 'CREATE TABLE user_groups (_id INTEGER PRIMARY KEY,type INT,tag INT,rank INT,owner_id INT,user_id INT,is_last INT,pc BLOB,g_flags INT)', 'topics': 'CREATE TABLE topics (_id INTEGER PRIMARY KEY,ev_id TEXT UNIQUE NOT NULL,ev_type INT,ev_query TEXT NOT NULL,ev_seed_hashtag TEXT,ev_title STRING,ev_subtitle STRING,ev_view_url STRING,ev_status STRING,ev_image_url TEXT,ev_explanation TEXT,ev_tweet_count INT,ev_start_time INT,ev_owner_id INT,ev_pc BLOB,ev_content BLOB,ev_hash INT)', 'search_results': 'CREATE TABLE search_results (_id INTEGER PRIMARY KEY,search_id INT,s_type INT,data_type INT,type_id INT,polled INT,data_id INT,related_data BLOB,cluster_id INT)', 'feedback_action': 'CREATE TABLE feedback_action(_id INTEGER PRIMARY KEY AUTOINCREMENT,feedback_type TEXT,prompt TEXT,confirmation TEXT,UNIQUE(feedback_type,prompt,confirmation))', 'moments_visit_badge': 'CREATE TABLE moments_visit_badge (_id INTEGER PRIMARY KEY,moment_id INT UNIQUE NOT NULL,is_new_since_visit INT,is_updated_since_visit INT)', 'search_queries': 'CREATE TABLE search_queries (_id INTEGER PRIMARY KEY,type INT,name TEXT NOT NULL,query TEXT NOT NULL,query_id INT,time INT,latitude REAL,longitude REAL,radius REAL,location TEXT,pc BLOB,cluster_titles BLOB)', 'list_mapping': 'CREATE TABLE list_mapping (_id INTEGER PRIMARY KEY,list_mapping_list_id TEXT,list_mapping_type INT,list_mapping_user_id INT,list_is_last INT)', 'locations': 'CREATE TABLE locations (_id INTEGER PRIMARY KEY,name TEXT,woeid INT,country TEXT,country_code TEXT)', 'one_click': 'CREATE TABLE one_click (_id INTEGER PRIMARY KEY,topic TEXT,filter_name TEXT,filter_location TEXT,filter_follow INT)', 'news': 'CREATE TABLE news (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,topic_id INT,news_id TEXT,title TEXT,image_url TEXT,author_name TEXT,article_description TEXT,article_url TEXT,tweet_count INT,start_time INT,news_id_hash INT)', 'user_metadata': 'CREATE TABLE user_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,user_id INT NOT NULL,user_group_type INT NOT NULL,user_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_follow_count INT,user_title TEXT,token TEXT)', 'moments': 'CREATE TABLE moments (_id INTEGER PRIMARY KEY,title TEXT NOT NULL,can_subscribe INT,is_live INT,is_sensitive INT,subcategory_string TEXT,subcategory_favicon_url TEXT,time_string TEXT,duration_string TEXT,is_subscribed INT,description TEXT NOT NULL,moment_url TEXT,num_subscribers INT,author_info BLOB,promoted_content BLOB)', 'rankings': 'CREATE TABLE rankings (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,granularity TEXT,category TEXT,date INT)', 'notifications': 'CREATE TABLE notifications (_id INTEGER PRIMARY KEY,type INT,notif_id INT,source_user_name TEXT,s_name TEXT,s_id INT,notif_txt TEXT,aggregation_data TEXT,notif_extra_data BLOB)'}]

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventData

Bases: plaso.containers.events.EventData

Twitter on Android search event data.

name

str – twitter name handler.

search_query

str – search query.

DATA_TYPE = 'twitter:android:search'

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData

Bases: plaso.containers.events.EventData

Twitter on Android status event data.

identifier

int – status row identifier.

author_identifier

int – twitter account identifier.

username

str – twitter account handler.

content

str – status content.

favorited

int – favorited flag as 0/1 value.

retweeted

int – retweeted flag as 0/1 value.

DATA_TYPE = 'twitter:android:status'

plaso.parsers.sqlite_plugins.twitter_ios module

Parser for Twitter on iOS 8+ database.

SQLite database path: /private/var/mobile/Containers/Data/Application/Library/Caches/databases/ SQLite database name: twitter.db

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData

Bases: plaso.containers.events.EventData

Twitter on iOS 8+ contact event data.

description

str – description of the profile.

followers_count

int – number of accounts following the contact.

following_count

int – number of accounts the contact is following.

following

int – 1 if the contact is following the user’s account, 0 if not.

location

str – location of the profile.

name

str – name of the profile.

profile_url

str – URL of the profile picture.

screen_name

str – screen name.

url

str – URL of the profile.

DATA_TYPE = 'twitter:ios:contact'

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parser for Twitter on iOS 8+ database.

DESCRIPTION = 'Parser for Twitter on iOS 8+ database'

NAME = 'twitter_ios'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)

Parses a contact row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

ParseStatusRow(parser_mediator, query, row, **unused_kwargs)

Parses a contact row from the database.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT createdDate, updatedAt, screenName, name, profileImageUrl,location, description, url, following, followersCount, followingCount FROM Users ORDER BY createdDate', 'ParseContactRow'), ('SELECT Statuses.date AS date, Statuses.text AS text, Statuses.userId AS user_id, Users.name AS name, Statuses.retweetCount AS retweetCount, Statuses.favoriteCount AS favoriteCount, Statuses.favorited AS favorited, Statuses.updatedAt AS updatedAt FROM Statuses LEFT join Users ON Statuses.userId = Users.id ORDER BY date', 'ParseStatusRow')]

REQUIRED_TABLES = frozenset({'MyRetweets', 'StatusesShadow', 'UsersShadow', 'Lists', 'Users', 'ListsShadow', 'Statuses'})

SCHEMAS = [{'MyRetweets': "CREATE TABLE MyRetweets ( 'statusId' INTEGER PRIMARY KEY, 'myRetweetId' INTEGER )", 'StatusesShadow': "CREATE TABLE StatusesShadow ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplementalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'UsersShadow': "CREATE TABLE UsersShadow ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )", 'ListsShadow': "CREATE TABLE ListsShadow ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'Statuses': "CREATE TABLE Statuses ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplmentalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'Lists': "CREATE TABLE Lists ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'Users': "CREATE TABLE Users ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )"}]

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData

Bases: plaso.containers.events.EventData

Parent class for Twitter on iOS 8+ status events.

favorite_count

int – number of times the status message has been favorited.

favorited

int – value to mark status as favorite by the account.

name

str – user’s profile name.

retweet_count

str – number of times the status message has been retweeted.

text

str – content of the status messsage.

user_id

int – user unique identifier.

DATA_TYPE = 'twitter:ios:status'

plaso.parsers.sqlite_plugins.windows_timeline module

Plugin for the Windows 10 Timeline SQLite database.

Timeline events on Windows are stored in a SQLite database file usually found in ActivitiesCache.db, path is usually something like: %APPDATA%LocalConnectedDevicesPlatformL.<username>

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData

Bases: plaso.containers.events.EventData

Windows Timeline database generic event data.

package_identifier

str – the package ID or path to the executable run. Depending on the program, this either looks like a path (for example, c:python34python.exe) or like a package name (for example Docker.DockerForWindows.Settings).

description

str – this is an optional field, used to describe the action in the timeline view, and is usually populated with the path of the file currently open in the program described by package_identifier. Otherwise None.

application_display_name

str – a more human-friendly version of the package_identifier, such as ‘Docker for Windows’ or ‘Microsoft Store’.

DATA_TYPE = 'windows:timeline:generic'

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

Parse the Windows Timeline SQLite database.

DESCRIPTION = 'Parser for the Windows Timeline SQLite database'

NAME = 'windows_timeline'

ParseGenericRow(parser_mediator, query, row, **unused_kwargs)

Parses a generic windows timeline row.

Args: parser_mediator (ParserMediator): mediates interactions between parsers

and other components, such as storage and dfvfs.

query (str): query that created the row. row (sqlite3.Row): row.

ParseUserEngagedRow(parser_mediator, query, row, **unused_kwargs)

Parses a timeline row that describes a user interacting with an app.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT StartTime, Payload, PackageName FROM Activity INNER JOIN Activity_PackageId ON Activity.Id = Activity_PackageId.ActivityId WHERE instr(Payload, "UserEngaged") > 0 AND Platform = "packageid"', 'ParseUserEngagedRow'), ('SELECT StartTime, Payload, AppId FROM Activity WHERE instr(Payload, "UserEngaged") = 0', 'ParseGenericRow')]

REQUIRED_TABLES = frozenset({'Activity_PackageId', 'Activity'})

SCHEMAS = [{'Activity_PackageId': 'CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL, [PackageName] TEXT NOT NULL, [ExpirationTime] DATETIME NOT NULL)', 'ManualSequence': 'CREATE TABLE [ManualSequence]([Key] TEXT PRIMARY KEY NOT NULL, [Value] INT NOT NULL)', 'ActivityAssetCache': 'CREATE TABLE [ActivityAssetCache]([ResourceId] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, [AppId] TEXT NOT NULL, [AssetHash] TEXT NOT NULL, [TimeToLive] DATETIME NOT NULL, [AssetUri] TEXT, [AssetId] TEXT, [AssetKey] TEXT, [Contents] BLOB)', 'AppSettings': 'CREATE TABLE [AppSettings]([AppId] TEXT PRIMARY KEY NOT NULL, [SettingsPropertyBag] BLOB, [AppTitle] TEXT, [Logo4141] TEXT)', 'Metadata': 'CREATE TABLE [Metadata]([Key] TEXT PRIMARY KEY NOT NULL, [Value] TEXT)', 'Activity': 'CREATE TABLE [Activity]([Id] GUID PRIMARY KEY NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ActivityStatus] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [IsLocalOnly] INT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'ActivityOperation': 'CREATE TABLE [ActivityOperation]([OperationOrder] INTEGER PRIMARY KEY ASC NOT NULL, [Id] GUID NOT NULL, [OperationType] INT NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [CreatedTime] DATETIME, [Attachments] TEXT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME NOT NULL, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME NOT NULL, [CorrelationVector] TEXT, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)'}]

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventData

Bases: plaso.containers.events.EventData

Windows Timeline database User Engaged event data.

Contains information describing how long a user interacted with an application for.

package_identifier

str – the package ID or location of the executable the user interacted with.

reporting_app

str – the name of the application that reported the user’s interaction. This is the name of a monitoring tool, e.g. ShellActivityMonitor

active_duration_seconds

int – the number of seconds the user spent interacting with the program.

DATA_TYPE = 'windows:timeline:user_engaged'

plaso.parsers.sqlite_plugins.zeitgeist module

Plugin for the Zeitgeist SQLite database.

Zeitgeist is a service which logs the user activities and events, anywhere from files opened to websites visited and conversations.

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin

Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite plugin for Zeitgeist activity database.

DESCRIPTION = 'Parser for Zeitgeist activity SQLite database files.'

NAME = 'zeitgeist'

ParseZeitgeistEventRow(parser_mediator, query, row, **unused_kwargs)

Parses a zeitgeist event row.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• query (str) – query that created the row.
• row (sqlite3.Row) – row.

QUERIES = [('SELECT id, timestamp, subj_uri FROM event_view', 'ParseZeitgeistEventRow')]

REQUIRED_TABLES = frozenset({'event', 'actor'})

SCHEMAS = [{'schema_version': 'CREATE TABLE schema_version ( schema VARCHAR PRIMARY KEY ON CONFLICT REPLACE, version INT )', 'text': 'CREATE TABLE text ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )', 'payload': 'CREATE TABLE payload (id INTEGER PRIMARY KEY, value BLOB)', 'manifestation': 'CREATE TABLE manifestation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'interpretation': 'CREATE TABLE interpretation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'uri': 'CREATE TABLE uri ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )', 'mimetype': 'CREATE TABLE mimetype ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'extensions_conf': 'CREATE TABLE extensions_conf ( extension VARCHAR, key VARCHAR, value BLOB, CONSTRAINT unique_extension UNIQUE (extension, key) )', 'event': 'CREATE TABLE event ( id INTEGER, timestamp INTEGER, interpretation INTEGER, manifestation INTEGER, actor INTEGER, payload INTEGER, subj_id INTEGER, subj_interpretation INTEGER, subj_manifestation INTEGER, subj_origin INTEGER, subj_mimetype INTEGER, subj_text INTEGER, subj_storage INTEGER, origin INTEGER, subj_id_current INTEGER, CONSTRAINT interpretation_fk FOREIGN KEY(interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT manifestation_fk FOREIGN KEY(manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT actor_fk FOREIGN KEY(actor) REFERENCES actor(id) ON DELETE CASCADE, CONSTRAINT origin_fk FOREIGN KEY(origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT payload_fk FOREIGN KEY(payload) REFERENCES payload(id) ON DELETE CASCADE, CONSTRAINT subj_id_fk FOREIGN KEY(subj_id) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_id_current_fk FOREIGN KEY(subj_id_current) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_interpretation_fk FOREIGN KEY(subj_interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT subj_manifestation_fk FOREIGN KEY(subj_manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT subj_origin_fk FOREIGN KEY(subj_origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_mimetype_fk FOREIGN KEY(subj_mimetype) REFERENCES mimetype(id) ON DELETE CASCADE, CONSTRAINT subj_text_fk FOREIGN KEY(subj_text) REFERENCES text(id) ON DELETE CASCADE, CONSTRAINT subj_storage_fk FOREIGN KEY(subj_storage) REFERENCES storage(id) ON DELETE CASCADE, CONSTRAINT unique_event UNIQUE (timestamp, interpretation, manifestation, actor, subj_id) )', 'actor': 'CREATE TABLE actor ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'storage': 'CREATE TABLE storage ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE, state INTEGER, icon VARCHAR, display_name VARCHAR )'}]

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventData

Bases: plaso.containers.events.EventData

Zeitgeist activity event data.

subject_uri

str – subject URI.

DATA_TYPE = 'zeitgeist:activity'

Module contents

Imports for the SQLite database parser.

plaso.parsers.syslog_plugins package

Submodules

plaso.parsers.syslog_plugins.cron module

This file contains a plugin for cron syslog entries.

class plaso.parsers.syslog_plugins.cron.CronSyslogPlugin

Bases: plaso.parsers.syslog_plugins.interface.SyslogPlugin

A syslog plugin for parsing cron messages.

DESCRIPTION = 'Parser for syslog cron messages.'

MESSAGE_GRAMMARS = [('task_run', {{{{{{{"(" W:(ABCD...)} ")"} "CMD"} "("} Combine:(SkipTo:({")" StringEnd}))} ")"} StringEnd})]

NAME = 'cron'

ParseMessage(parser_mediator, key, date_time, tokens)

Parses a syslog body that matched one of defined grammars.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the matching grammar.
• date_time (dfdatetime.DateTimeValues) – date and time values.
• tokens (dict[str, str]) – tokens derived from a syslog message based on the defined grammar.

Raises:

ValueError – If an unknown key is provided.

REPORTER = 'CRON'

class plaso.parsers.syslog_plugins.cron.CronTaskRunEventData

Bases: plaso.parsers.syslog.SyslogLineEventData

Cron task run event data.

command

str – command executed.

username

str – name of user the command was executed.

DATA_TYPE = 'syslog:cron:task_run'

plaso.parsers.syslog_plugins.interface module

This file contains the interface for syslog plugins.

class plaso.parsers.syslog_plugins.interface.SyslogPlugin

Bases: plaso.parsers.plugins.BasePlugin

The interface for syslog plugins.

DESCRIPTION = ''

MESSAGE_GRAMMARS = []

NAME = 'syslog_plugin'

ParseMessage(parser_mediator, key, date_time, tokens)

Parses a syslog body that matched one of the grammars the plugin defined.

Parameters:

• parser_mediator (ParserMediator) – mediates the interactions between parsers and other components, such as storage and abort signals.
• key (str) – name of the parsed structure.
• date_time (dfdatetime.DateTimeValues) – date and time values.
• tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.

Process(parser_mediator, date_time, syslog_tokens, **kwargs)

Processes the data structure produced by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates the interactions between parsers and other components, such as storage and abort signals.
• date_time (dfdatetime.DateTimeValues) – date and time values.
• syslog_tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.

Raises:

• AttributeError – If the syslog_tokens do not include a ‘body’ attribute.
• WrongPlugin – If the plugin is unable to parse the syslog tokens.

REPORTER = ''

plaso.parsers.syslog_plugins.ssh module

This file contains a plugin for SSH syslog entries.

class plaso.parsers.syslog_plugins.ssh.SSHEventData

Bases: plaso.parsers.syslog.SyslogLineEventData

SSH event data.

address

str – IP address.

authentication_method

str – authentication method.

fingerprint

str – fingerprint.

port

str – port.

protocol

str – protocol.

username

str – name of user the command was executed.

class plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventData

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH failed connection event data.

DATA_TYPE = 'syslog:ssh:failed_connection'

class plaso.parsers.syslog_plugins.ssh.SSHLoginEventData

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH login event data.

DATA_TYPE = 'syslog:ssh:login'

class plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventData

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH opened connection event data.

DATA_TYPE = 'syslog:ssh:opened_connection'

class plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin

Bases: plaso.parsers.syslog_plugins.interface.SyslogPlugin

A plugin for creating events from syslog message produced by SSH.

DESCRIPTION = 'Parser for SSH syslog entries.'

MESSAGE_GRAMMARS = [('login', {{{{{{{{{{"Accepted" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)}} "port"} W:(0123...)} "ssh2"} [{":" Combine:({"RSA " W:(:012...)})}]} StringEnd}), ('failed_connection', {{{{{{{{"Failed" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)}} "port"} W:(0123...)} StringEnd}), ('opened_connection', {{{{"Connection from" {{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)}} "port"} W:(0123...)} LineEnd})]

NAME = 'ssh'

ParseMessage(parser_mediator, key, date_time, tokens)

Produces an event from a syslog body that matched one of the grammars.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the matching grammar.
• date_time (dfdatetime.DateTimeValues) – date and time values.
• tokens (dict[str, str]) – tokens derived from a syslog message based on the defined grammar.

Raises:

ValueError – If an unknown key is provided.

REPORTER = 'sshd'

Module contents

Imports for the syslog parser.

plaso.parsers.winreg_plugins package

Submodules

plaso.parsers.winreg_plugins.appcompatcache module

Windows Registry plugin to parse the Application Compatibility Cache key.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntry

Bases: object

Class that contains the Application Compatibility Cache cached entry.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData

Bases: plaso.containers.events.EventData

Class that defines AppCompatCache event data.

entry_index

int – cache entry index number for the record.

key_path

str – Windows Registry key path.

path

str – full path to the executable.

DATA_TYPE = 'windows:registry:appcompatcache'

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeader

Bases: object

Class that contains the Application Compatibility Cache header.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that parses the Application Compatibility Cache Registry data.

DESCRIPTION = 'Parser for Application Compatibility Cache Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises:

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'appcompatcache'

URLS = ['https://github.com/libyal/winreg-kb/blob/master/documentation/Application%20Compatibility%20Cache%20key.asciidoc']

plaso.parsers.winreg_plugins.bagmru module

This file contains BagMRU Windows Registry plugins (shellbags).

class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that defines a BagMRU Windows Registry plugin.

DESCRIPTION = 'Parser for BagMRU Registry data.'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
• codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'bagmru'

URLS = ['https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc#bagmru-key']

plaso.parsers.winreg_plugins.ccleaner module

Parser for the CCleaner Registry key.

class plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Gathers the CCleaner Keys for NTUSER hive.

DESCRIPTION = 'Parser for CCleaner Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'ccleaner'

URLS = ['http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html']

class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData

Bases: plaso.containers.events.EventData

CCleaner update event data.

key_path

str – Windows Registry key path.

DATA_TYPE = 'ccleaner:update'

plaso.parsers.winreg_plugins.default module

The default Windows Registry plugin.

class plaso.parsers.winreg_plugins.default.DefaultPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Default plugin that extracts minimum information from every registry key.

The default plugin will parse every registry key that is passed to it and extract minimum information, such as a list of available values and if possible content of those values. The timestamp used is the timestamp when the registry key was last modified.

DESCRIPTION = 'Parser for Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

NAME = 'winreg_default'

plaso.parsers.winreg_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format Registry plugins.

class plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Shared functionality for dtFabric-based data format Registry plugins.

A dtFabric-based data format Windows Registry parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

• name: y data_type: int32
• name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

plaso.parsers.winreg_plugins.interface module

The Windows Registry plugin interface.

class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Bases: object

Class that defines the Windows Registry key filter interface.

Match(registry_key)

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns:True if the keys match. Return type:bool

key_paths

List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path)

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns:True if the keys match. Return type:bool

key_paths

List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.

Match(registry_key)

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns:True if the keys match. Return type:bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.

Match(registry_key)

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns:True if the keys match. Return type:bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names)

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.

Match(registry_key)

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns:True if the keys match. Return type:bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Bases: plaso.parsers.plugins.BasePlugin

The Windows Registry plugin interface.

DESCRIPTION = 'Parser for Windows Registry value data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset()

NAME = 'winreg_plugin'

Process(parser_mediator, registry_key, **kwargs)

Processes a Windows Registry key or value.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises:

ValueError – If the Windows Registry key is not set.

URLS = []

UpdateChainAndProcess(parser_mediator, registry_key, **kwargs)

Updates the parser chain and processes a Windows Registry key or value.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises:

ValueError – If the Windows Registry key is not set.

plaso.parsers.winreg_plugins.lfu module

Plug-in to collect the Less Frequently Used Keys.

class plaso.parsers.winreg_plugins.lfu.BootExecutePlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the BootExecute Value from the Session Manager key.

DESCRIPTION = 'Parser for Boot Execution Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_boot_execute'

URLS = ['http://technet.microsoft.com/en-us/library/cc963230.aspx']

class plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the Boot Verification Key.

DESCRIPTION = 'Parser for Boot Verification Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_boot_verify'

URLS = ['http://technet.microsoft.com/en-us/library/cc782537(v=ws.10).aspx']

plaso.parsers.winreg_plugins.mountpoints module

This file contains the MountPoints2 plugin.

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MountPoints2 key.

DESCRIPTION = 'Parser for mount points Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'explorer_mountpoints2'

URLS = ['http://support.microsoft.com/kb/932463']

plaso.parsers.winreg_plugins.mrulist module

This file contains a MRUList Registry plugin.

class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUList Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUList.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
• codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulist_shell_item_list'

URLS = ['https://github.com/libyal/winreg-kb/wiki/MRU-keys']

class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns:True if the Windows Registry key matches the filter. Return type:bool

class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUList.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
• codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter object>})

NAME = 'mrulist_string'

URLS = ['http://forensicartifacts.com/tag/mru/']

plaso.parsers.winreg_plugins.mrulistex module

This file contains MRUListEx Windows Registry plugins.

class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUListEx Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
• codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_shell_item_list'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item list MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
• codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_string_and_shell_item_list'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
• codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_string_and_shell_item'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns:True if the Windows Registry key matches the filter. Return type:bool

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
• codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter object>})

NAME = 'mrulistex_string'

URLS = ['http://forensicartifacts.com/2011/02/recentdocs/', 'https://github.com/libyal/winreg-kb/wiki/MRU-keys']

plaso.parsers.winreg_plugins.msie_zones module

This file contains the MSIE zone settings plugin.

class plaso.parsers.winreg_plugins.msie_zones.MsieZoneSettingsPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MSIE Zones settings.

The MSIE Feature controls are stored in the Zone specific subkeys in:

Internet SettingsZones key Internet SettingsLockdown_Zones key

DESCRIPTION = 'Parser for Internet Explorer zone settings Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'msie_zone'

URLS = ['http://support.microsoft.com/kb/182569']

plaso.parsers.winreg_plugins.network_drives module

This file contains the Network registry plugin.

class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Network key.

DESCRIPTION = 'Parser for Network Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'network_drives'

plaso.parsers.winreg_plugins.networks module

This file contains the NetworkList registry plugin.

class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the NetworkList key.

DESCRIPTION = 'Parser for NetworkList data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'networks'

class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkEventData

Bases: plaso.containers.events.EventData

Windows network event data.

connection_type

str – type of connection.

default_gateway_mac

str – MAC address for the default gateway.

description

str – description of the wireless connection.

dns_suffix

str – DNS suffix.

ssid

str – SSID of the connection.

DATA_TYPE = 'windows:registry:network'

plaso.parsers.winreg_plugins.officemru module

“Windows Registry plugin for the Microsoft Office MRU.

class plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plugin that parses Microsoft Office MRU keys.

DESCRIPTION = 'Parser for Microsoft Office MRU Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'microsoft_office_mru'

class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData

Bases: plaso.containers.events.EventData

Microsoft Office MRU Windows Registry event data.

key_path

str – Windows Registry key path.

value_string

str – MRU value.

DATA_TYPE = 'windows:registry:office_mru'

plaso.parsers.winreg_plugins.outlook module

This file contains an Outlook Registry parser.

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin parsing Outlook Search MRU keys.

DESCRIPTION = 'Parser for Microsoft Outlook search MRU Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'microsoft_outlook_mru'

plaso.parsers.winreg_plugins.programscache module

Windows Registry plugin to parse the Explorer ProgramsCache key.

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that parses the Explorer ProgramsCache Registry data.

DESCRIPTION = 'Parser for Explorer ProgramsCache Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'explorer_programscache'

URLS = ['https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc']

plaso.parsers.winreg_plugins.run module

This file contains the Run/RunOnce Key plugins for Plaso.

class plaso.parsers.winreg_plugins.run.AutoRunsPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing user specific auto runs.

DESCRIPTION = 'Parser for run and run once Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_run'

URLS = ['http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx']

plaso.parsers.winreg_plugins.sam_users module

“Windows Registry plugin for SAM Users Account information.

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData

Bases: plaso.containers.events.EventData

Class that defines SAM users Windows Registry event data.

account_rid

int – account relative identifier (RID).

comments

str – comments.

fullname

str – full name.

key_path

str – Windows Registry key path.

login_count

int – login count.

username

str – a string containing the username.

DATA_TYPE = 'windows:registry:sam_users'

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for SAM Users Account information.

DESCRIPTION = 'Parser for SAM Users and Names Registry keys.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_sam_users'

plaso.parsers.winreg_plugins.services module

Plug-in to format the Services and Drivers key with Start and Type values.

class plaso.parsers.winreg_plugins.services.ServicesPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to format the Services and Drivers keys having Type and Start.

DESCRIPTION = 'Parser for services and drivers Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter object>})

GetServiceDll(key)

Get the Service DLL for a service, if it exists.

Checks for a ServiceDLL for in the Parameters subkey of a service key in the Registry.

Parameters:key (dfwinreg.WinRegistryKey) – a Windows Registry key. Returns:path of the service DLL or None. Return type:str

NAME = 'windows_services'

URLS = ['http://support.microsoft.com/kb/103000']

plaso.parsers.winreg_plugins.shutdown module

Windows Registry plugin for parsing the last shutdown time of a system.

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData

Bases: plaso.containers.events.EventData

Shutdown Windows Registry event data.

key_path

str – Windows Registry key path.

value_name

str – name of the Windows Registry value.

DATA_TYPE = 'windows:registry:shutdown'

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the last shutdown time of a system.

DESCRIPTION = 'Parser for ShutdownTime Registry value.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a ShutdownTime Windows Registry value.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_shutdown'

plaso.parsers.winreg_plugins.task_scheduler module

This file contains the Task Scheduler Registry keys plugins.

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData

Bases: plaso.containers.events.EventData

Task Cache event data.

task_name

str – name of the task.

task_identifier

str – identifier of the task.

DATA_TYPE = 'task_scheduler:task_cache:entry'

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses a Task Cache key.

DESCRIPTION = 'Parser for Task Scheduler cache Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_task_cache'

URLS = ['https://github.com/libyal/winreg-kb/blob/master/documentation/Task%20Scheduler%20Keys.asciidoc']

plaso.parsers.winreg_plugins.terminal_server module

This file contains the Terminal Server Registry plugins.

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection MRUs keys.

DESCRIPTION = 'Parser for Terminal Server Client MRU Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Terminal Server Client MRU Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mstsc_rdp_mru'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection keys.

DESCRIPTION = 'Parser for Terminal Server Client Connection Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Terminal Server Client Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mstsc_rdp'

plaso.parsers.winreg_plugins.timezone module

Plug-in to collect information about the Windows timezone settings.

class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows timezone settings.

DESCRIPTION = 'Parser for Windows timezone settings.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_timezone'

plaso.parsers.winreg_plugins.typedurls module

File containing a Windows Registry plugin to parse the typed URLs key.

class plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

A Windows Registry plugin for typed URLs history.

DESCRIPTION = 'Parser for Explorer typed URLs Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_typed_urls'

plaso.parsers.winreg_plugins.usb module

File containing a Windows Registry plugin to parse the USB Device key.

class plaso.parsers.winreg_plugins.usb.USBPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USB Windows Registry plugin for last connection time.

DESCRIPTION = 'Parser for USB device Registry entries.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_usb_devices'

URLS = ['https://msdn.microsoft.com/en-us/library/windows/hardware/jj649944%28v=vs.85%29.aspx']

plaso.parsers.winreg_plugins.usbstor module

File containing a Windows Registry plugin to parse the USBStor key.

class plaso.parsers.winreg_plugins.usbstor.USBStorPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USBStor key plugin.

DESCRIPTION = 'Parser for USB Plug And Play Manager USBStor Registry Key.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_usbstor_devices'

URLS = ['http://www.forensicswiki.org/wiki/USB_History_Viewing']

plaso.parsers.winreg_plugins.userassist module

The UserAssist Windows Registry plugin.

class plaso.parsers.winreg_plugins.userassist.UserAssistPlugin

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses an UserAssist key.

DESCRIPTION = 'Parser for User Assist Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>})

NAME = 'userassist'

URLS = ['http://blog.didierstevens.com/programs/userassist/', 'https://code.google.com/p/winreg-kb/wiki/UserAssistKeys', 'http://intotheboxes.files.wordpress.com/2010/04/intotheboxes_2010_q1.pdf']

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData

Bases: plaso.containers.events.EventData

UserAssist Windows Registry event data.

application_focus_count

int – application focus count.

application_focus_duration

int – application focus duration.

entry_index

int – entry index.

key_path

str – Windows Registry key path.

number_of_executions

int – nubmer of executions.

regvalue

dict[str, str] – UserAssist values.

value_name

str – name of the Windows Registry value.

DATA_TYPE = 'windows:registry:userassist'

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid)

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter

UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module

Plug-in to collect information about the Windows version.

class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows version.

DESCRIPTION = 'Parser for Windows version Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_version'

plaso.parsers.winreg_plugins.winlogon module

This file contains the Winlogon Registry plugin.

class plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Winlogon key.

DESCRIPTION = 'Parser for winlogon Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'winlogon'

plaso.parsers.winreg_plugins.winrar module

This file contains a Windows Registry plugin for WinRAR Registry key.

class plaso.parsers.winreg_plugins.winrar.WinRarHistoryPlugin

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing WinRAR History keys.

DESCRIPTION = 'Parser for WinRAR History Registry data.'

ExtractEvents(parser_mediator, registry_key, **kwargs)

Extracts events from a Windows Registry key.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'winrar_mru'

Module contents

Imports for the Windows Registry parser.

Submodules

plaso.parsers.amcache module

File containing a Windows Registry plugin to parse the Amcache Hive.

class plaso.parsers.amcache.AmcacheEventData

Bases: plaso.containers.events.EventData

Amcache event data.

full_path

str – full path of file

sha1

str – sha1 of file

productname

str – product name file belongs to

companyname

str – company name that created product file belogs to

fileversion

str – version of file

languagecode

int – language code of file

filesize

int – size of file in bytes

filedescription

str – description of file

linkerts

int – unix timestamp when file was linked

lastmodifiedts

int – filetime timestamp of last modified datetime of file

createdtd

int – filetime timestamp of created datetime of file

programid

str – GUID of entry under Root/Program key file belongs to

DATA_TYPE = 'windows:registry:amcache'

class plaso.parsers.amcache.AmcacheParser

Bases: plaso.parsers.interface.FileObjectParser

Amcache Registry plugin for recently run programs.

DESCRIPTION = 'Parser for Amcache Registry entries.'

NAME = 'amcache'

ParseFileObject(parser_mediator, file_object)

Parses an Amcache.hve file for events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

URLS = ['http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html']

class plaso.parsers.amcache.AmcacheProgramEventData

Bases: plaso.containers.events.EventData

Amcache programs event data.

name

str – name of installed program

version

str – version of program

publisher

str – publisher of program

languagecode

int – languagecode of program

entrytype

str – type of entry (usually AddRemoveProgram)

uninstallkey

str – unicode string of uninstall registry key for program

filepath

str – file path of installed program

productcode

str – product code of program

packagecode

str – package code of program

msiproductcode

str – MSI product code of program

msipackagecode

str – MSI package code of program

files

str – list of files belonging to program

DATA_TYPE = 'windows:registry:amcache:programs'

plaso.parsers.android_app_usage module

Parser for the Android usage-history.xml files.

class plaso.parsers.android_app_usage.AndroidAppUsageEventData

Bases: plaso.containers.events.EventData

Android Application event data.

package_name

str – name of the Android application.

component_name

str – name of the individual component of the application.

DATA_TYPE = 'android:event:last_resume_time'

class plaso.parsers.android_app_usage.AndroidAppUsageParser

Bases: plaso.parsers.interface.FileObjectParser

Parses the Android usage-history.xml file.

DESCRIPTION = 'Parser for Android usage-history.xml files.'

NAME = 'android_app_usage'

ParseFileObject(parser_mediator, file_object)

Parses an Android usage-history file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.apache_access module

Apache access log (access.log) parser.

Parser based on the two default apache formats, common and combined log format defined in https://httpd.apache.org/docs/2.4/logs.html

class plaso.parsers.apache_access.ApacheAccessEventData

Bases: plaso.containers.events.EventData

Apache access event data.

ip_address

str – IPv4 or IPv6 addresses.

remote_name

str – remote logname (from identd, if supplied).

user_name

str – logged user name.

http_request

str – first line of http request.

http_response_code

int – http response code from server.

http_response_bytes

int – http response bytes size without headers.

http_request_referer

str – http request referer header information.

http_request_user_agent

str – http request user agent header information.

DATA_TYPE = 'apache:access'

class plaso.parsers.apache_access.ApacheAccessParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Apache access log file parser

DESCRIPTION = 'Apache access Parser'

LINE_STRUCTURES = [('combined_log_format', {{{{{{{{{{{{{{{{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")}} Suppress:(""")} SkipTo:(""")} Suppress:(""")} W:(0123...)} W:(0123...)} Suppress:(""")} SkipTo:(""")} Suppress:(""")} Suppress:(""")} SkipTo:(""")} Suppress:(""")} lineEnd}), ('common_log_format', {{{{{{{{{{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")}} Suppress:(""")} SkipTo:(""")} Suppress:(""")} W:(0123...)} W:(0123...)} lineEnd})]

NAME = 'apache_access'

ParseRecord(parser_mediator, key, structure)

Parses a matching entry.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – elements parsed from the file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)

Verifies that this is an apache access log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.asl module

The Apple System Log Parser.

class plaso.parsers.asl.ASLEventData

Bases: plaso.containers.events.EventData

Convenience class for an ASL event.

computer_name

str – name of the host.

extra_information

str – extra fields associated to the event.

facility

str – facility.

group_id

int – group identifier (GID).

level

str – level of criticality of the event.

message_id

int – message identifier.

message

str – message of the event.

pid

int – process identifier (PID).

read_uid

int – user identifier that can read this file, where -1 represents all.

read_gid

int – the group identifier that can read this file, where -1 represents all.

record_position

int – position of the event record.

sender

str – sender or process that created the event.

user_sid

str – user identifier (UID).

DATA_TYPE = 'mac:asl:event'

class plaso.parsers.asl.ASLParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for ASL log files.

DESCRIPTION = 'Parser for ASL log files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'asl_log'

ParseFileObject(parser_mediator, file_object)

Parses an ASL file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.bash_history module

Parser for bash history files.

class plaso.parsers.bash_history.BashHistoryEventData

Bases: plaso.containers.events.EventData

Bash history log event data.

command

str – command that was executed.

DATA_TYPE = 'bash:history:command'

class plaso.parsers.bash_history.BashHistoryParser

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Bash history files.

DESCRIPTION = 'Parser for Bash history files'

LINE_STRUCTURES = [('log_entry', {{{Suppress:("#") W:(0123...)} Re:('.*?(?=($|\\n#\\d{10}))')} lineEnd})]

NAME = 'bash'

ParseRecord(parser_mediator, key, structure)

Parses a record and produces a Bash history event.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – elements parsed from the file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)

Verifies that this is a bash history file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• lines (str) – one or more lines from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.bencode_parser module

This file contains the Bencode Parser.

Plaso’s engine calls BencodeParser when it encounters bencoded files to be processed, typically seen for BitTorrent data.

class plaso.parsers.bencode_parser.BencodeParser

Bases: plaso.parsers.interface.FileObjectParser

Deserializes bencoded file; produces a dictionary containing bencoded data.

The Plaso engine calls parsers by their Parse() method. The Parse() function deserializes bencoded files using the BitTorrent-bencode library and calls plugins (BencodePlugin) registered through the interface by their Process() to produce event objects.

Plugins are how this parser understands the content inside a bencoded file, each plugin holds logic specific to a particular bencoded file. See the bencode_plugins / directory for examples of how bencode plugins are implemented.

BENCODE_RE = re.compile(b'd[0-9]')

DESCRIPTION = 'Parser for bencoded files.'

NAME = 'bencode'

ParseFileObject(parser_mediator, file_object)

Parses a bencoded file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.bsm module

Basic Security Module (BSM) event auditing file parser.

class plaso.parsers.bsm.BSMEventData

Bases: plaso.containers.events.EventData

Basic Security Module (BSM) audit event data.

event_type

int – identifier that represents the type of the event.

extra_tokens

list[dict[str, dict[str, str]]] – event extra tokens, which is a list of dictionaries that contain: {token type: {token values}}

record_length

int – record length in bytes (trailer number).

return_value

str – processed return value and exit status.

DATA_TYPE = 'bsm:event'

class plaso.parsers.bsm.BSMParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for BSM files.

DESCRIPTION = 'Parser for BSM log files.'

NAME = 'bsm_log'

ParseFileObject(parser_mediator, file_object)

Parses a BSM file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.chrome_cache module

Parser for Google Chrome and Chromium Cache files.

class plaso.parsers.chrome_cache.CacheAddress(cache_address)

Bases: object

Chrome cache address.

block_number

int – block data file number.

block_offset

int – offset within the block data file.

block_size

int – block size.

filename

str – name of the block data file.

value

int – cache address.

FILE_TYPE_BLOCK_1024 = 3

FILE_TYPE_BLOCK_256 = 2

FILE_TYPE_BLOCK_4096 = 4

FILE_TYPE_BLOCK_RANKINGS = 1

FILE_TYPE_SEPARATE = 0

class plaso.parsers.chrome_cache.CacheEntry

Bases: object

Chrome cache entry.

creation_time

int – creation time, in number of microseconds since since January 1, 1601, 00:00:00 UTC.

hash

int – super fast hash of the key.

key

bytes – key.

next

int – cache address of the next cache entry.

original_url

str – original URL derived from the key.

rankings_node

int – cache address of the rankings node.

class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache data block file parser.

ParseCacheEntry(file_object, block_offset)

Parses a cache entry.

Parameters:

• file_object (dfvfs.FileIO) – a file-like object to read from.
• block_offset (int) – block offset of the cache entry.

Returns:

cache entry.

Return type:

CacheEntry

Raises:

ParseError – if the cache entry cannot be read.

ParseFileObject(parser_mediator, file_object)

Parses a file-like object.

Parameters:

• parser_mediator (ParserMediator) – a parser mediator.
• file_object (dfvfs.FileIO) – a file-like object to parse.

Raises:

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheEntryEventData

Bases: plaso.containers.events.EventData

Chrome Cache event data.

original_url

str – original URL.

DATA_TYPE = 'chrome:cache:entry'

class plaso.parsers.chrome_cache.ChromeCacheIndexFileParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache index file parser.

creation_time

int – creation time, in number of number of microseconds since January 1, 1601, 00:00:00 UTC.

index_table

list[CacheAddress] – the cache addresses which are stored in the index file.

ParseFileObject(parser_mediator, file_object)

Parses a file-like object.

Parameters:

• parser_mediator (ParserMediator) – a parser mediator.
• file_object (dfvfs.FileIO) – a file-like object to parse.

Raises:

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheParser

Bases: plaso.parsers.interface.FileEntryParser

Parses Chrome Cache files.

DESCRIPTION = 'Parser for Chrome Cache files.'

NAME = 'chrome_cache'

ParseFileEntry(parser_mediator, file_entry)

Parses Chrome Cache files.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_entry (dfvfs.FileEntry) – file entry.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.chrome_preferences module

A parser for the Chrome preferences file.

class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData

Bases: plaso.containers.events.EventData

Chrome content settings exceptions event data.

permission

str – permission.

primary_url

str – primary URL.

secondary_url

str – secondary URL.

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'

class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData

Bases: plaso.containers.events.EventData

Chrome Extension event data.

extension_id

str – extension identifier.

extension_name

str – extension name.

path

str – path.

DATA_TYPE = 'chrome:preferences:extension_installation'

class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData

Bases: plaso.containers.events.EventData

Chrome Extension Autoupdater event data.

message

str – message.

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'

class plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventData

Bases: plaso.containers.events.EventData

Chrome history clearing event data.

message

str – message.

DATA_TYPE = 'chrome:preferences:clear_history'

class plaso.parsers.chrome_preferences.ChromePreferencesParser

Bases: plaso.parsers.interface.FileObjectParser

Parses Chrome Preferences files.

DESCRIPTION = 'Parser for Chrome Preferences files.'

NAME = 'chrome_preferences'

ParseFileObject(parser_mediator, file_object)

Parses a Chrome preferences file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

REQUIRED_KEYS = frozenset({'browser', 'extensions'})

plaso.parsers.cups_ipp module

The CUPS IPP files parser.

CUPS IPP version 1.0: * http://tools.ietf.org/html/rfc2565 * http://tools.ietf.org/html/rfc2566 * http://tools.ietf.org/html/rfc2567 * http://tools.ietf.org/html/rfc2568 * http://tools.ietf.org/html/rfc2569 * http://tools.ietf.org/html/rfc2639

CUPS IPP version 1.1: * http://tools.ietf.org/html/rfc2910 * http://tools.ietf.org/html/rfc2911 * http://tools.ietf.org/html/rfc3196 * http://tools.ietf.org/html/rfc3510

CUPS IPP version 2.0: * N/A

class plaso.parsers.cups_ipp.CupsIppEventData

Bases: plaso.containers.events.EventData

CUPS IPP event data.

application

str – application that prints the document.

data_dict

dict[str, object] – parsed data coming from the file.

computer_name

str – name of the computer.

copies

int – number of copies.

doc_type

str – type of document.

job_id

str – job identifier.

job_name

str – job name.

owner

str – real name of the user.

printer_id

str – identification name of the print.

uri

str – URL of the CUPS service.

user

str – system user name.

DATA_TYPE = 'cups:ipp:event'

class plaso.parsers.cups_ipp.CupsIppParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for CUPS IPP files.

DESCRIPTION = 'Parser for CUPS IPP files.'

NAME = 'cups_ipp'

ParseFileObject(parser_mediator, file_object)

Parses a CUPS IPP file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.custom_destinations module

Parser for .customDestinations-ms files.

class plaso.parsers.custom_destinations.CustomDestinationsParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses .customDestinations-ms files.

DESCRIPTION = 'Parser for *.customDestinations-ms files.'

NAME = 'custom_destinations'

ParseFileObject(parser_mediator, file_object)

Parses a .customDestinations-ms file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.docker module

Parser for Docker configuration and log files.

class plaso.parsers.docker.DockerJSONContainerEventData

Bases: plaso.containers.events.EventData

Docker container’s configuration file event data.

action

str – whether the container was created, started, or finished.

container_id

str – identifier of the container (SHA256).

container_name

str – name of the container.

DATA_TYPE = 'docker:json:container'

class plaso.parsers.docker.DockerJSONContainerLogEventData

Bases: plaso.containers.events.EventData

Docker container’s log event data.

container_id

str – identifier of the container (sha256).

log_line

str – log line.

log_source

str – log source.

DATA_TYPE = 'docker:json:container:log'

class plaso.parsers.docker.DockerJSONLayerEventData

Bases: plaso.containers.events.EventData

Docker filesystem layer configuration file event data.

command

the command used which made Docker create a new layer

layer_id

the identifier of the current Docker layer (sha1)

DATA_TYPE = 'docker:json:layer'

class plaso.parsers.docker.DockerJSONParser

Bases: plaso.parsers.interface.FileObjectParser

Generates various events from Docker json config and log files.

This handles : * Per container config file

DOCKER_DIR/containers/<container_id>/config.json

• Per container stdout/stderr output log DOCKER_DIR/containers/<container_id>/<container_id>-json.log
• Filesystem layer config files DOCKER_DIR/graph/<layer_id>/json

DESCRIPTION = 'Parser for JSON Docker files.'

NAME = 'dockerjson'

ParseFileObject(parser_mediator, file_object)

Parses various Docker configuration and log files in JSON format.

This methods checks whether the file_object points to a docker JSON config or log file, and calls the corresponding _Parse* function to generate Events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

• UnableToParseFile – when the file cannot be parsed.
• ValueError – if the JSON file cannot be decoded.

plaso.parsers.dpkg module

This file contains the Debian dpkg.log file parser.

Information updated 02 September 2016.

An example:

2016-08-03 15:25:53 install base-passwd:amd64 <none> 3.5.33

Log messages are of the form:

YYYY-MM-DD HH:MM:SS startup type command Where type is:

archives (with a command of unpack or install) packages (with a command of configure, triggers-only, remove or purge)

YYYY-MM-DD HH:MM:SS status state pkg installed-version

YYYY-MM-DD HH:MM:SS action pkg installed-version available-version Where action is:

install, upgrade, configure, trigproc, disappear, remove or purge.

YYYY-MM-DD HH:MM:SS conffile filename decision Where decision is install or keep.

class plaso.parsers.dpkg.DpkgEventData

Bases: plaso.containers.events.EventData

Dpkg event data.

body

str – body of the log line.

DATA_TYPE = 'dpkg:line'

class plaso.parsers.dpkg.DpkgParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for Debian dpkg.log files.

DESCRIPTION = 'Parser for Debian dpkg.log files.'

LINE_STRUCTURES = [('line', {Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {Combine:({{"startup" archives | packages} unpack | install | configure | triggers-only | remove | purge}) | Combine:({{{"status" W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{{install | upgrade | configure | trigproc | disappear | remove | purge W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{"conffile" W:(0123...)} install | keep})}})]

NAME = 'dpkg'

ParseRecord(parser_mediator, key, structure)

Parses a structure of tokens derived from a line of a text file.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• key (str) – identifier of the structure of tokens.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)

Verifies if a line from a text file is in the expected format.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.dsv_parser module

Delimiter separated values (DSV) parser interface.

class plaso.parsers.dsv_parser.DSVParser(encoding=None)

Bases: plaso.parsers.interface.FileObjectParser

Delimiter separated values (DSV) parser interface.

COLUMNS = []

DELIMITER = b','

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NUMBER_OF_HEADER_LINES = 0

ParseFileObject(parser_mediator, file_object)

Parses a DSV text file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

ParseRow(parser_mediator, row_offset, row)

Parses a line of the log file and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row_offset (int) – offset of the row.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

QUOTE_CHAR = b'"'

VerifyRow(parser_mediator, row)

Verifies if a line of the file is in the expected format.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.dtfabric_parser module

Shared functionality for dtFabric-based data format parsers.

class plaso.parsers.dtfabric_parser.DtFabricBaseParser

Bases: plaso.parsers.interface.FileObjectParser

Shared functionality for dtFabric-based data format parsers.

A dtFabric-based data format parser defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

• name: y data_type: int32
• name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

ParseFileObject(parser_mediator, file_object)

Parses a file-like object.

Parameters:

• parser_mediator (ParserMediator) – a parser mediator.
• file_object (dfvfs.FileIO) – a file-like object to parse.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.esedb module

Parser for Extensible Storage Engine (ESE) database files (EDB).

class plaso.parsers.esedb.ESEDBCache

Bases: plaso.parsers.plugins.BasePluginCache

A cache storing query results for ESEDB plugins.

StoreDictInCache(attribute_name, dict_object)

Store a dict object in cache.

Parameters:

• attribute_name (str) – name of the attribute.
• dict_object (dict) – dictionary.

class plaso.parsers.esedb.ESEDBParser

Bases: plaso.parsers.interface.FileObjectParser

Parses Extensible Storage Engine (ESE) database files (EDB).

DESCRIPTION = 'Parser for Extensible Storage Engine (ESE) database files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'esedb'

ParseFileObject(parser_mediator, file_object)

Parses an ESE database file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.filestat module

File system stat object parser.

class plaso.parsers.filestat.FileStatEventData

Bases: plaso.containers.events.EventData

File system stat event data.

file_entry_type

int – dfVFS file entry type.

file_size

int – file size in bytes.

file_system_type

str – file system type.

is_allocated

bool – True if the file is allocated.

offset

int – the offset of the stat data in bytes.

DATA_TYPE = 'fs:stat'

class plaso.parsers.filestat.FileStatParser

Bases: plaso.parsers.interface.FileEntryParser

Parses file system stat object.

DESCRIPTION = 'Parser for file system stat information.'

NAME = 'filestat'

ParseFileEntry(parser_mediator, file_entry)

Parses a file entry.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_entry (dfvfs.FileEntry) – a file entry.

plaso.parsers.firefox_cache module

Implements a parser for Firefox cache 1 and 2 files.

class plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Firefox cache files.

class plaso.parsers.firefox_cache.FirefoxCache2Parser

Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 2 files (Firefox 32 or later).

DESCRIPTION = 'Parser for Firefox Cache version 2 files (Firefox 32 or later).'

NAME = 'firefox_cache2'

ParseFileObject(parser_mediator, file_object)

Parses a Firefox cache file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.firefox_cache.FirefoxCacheEventData

Bases: plaso.containers.events.EventData

Firefox cache event data.

data_size

int – size of the cached data.

fetch_count

int – number of times the cache entry was fetched.

frequency

int – ???

info_size

int – size of the metadata.

location

str – ???

request_method

str – HTTP request method.

request_size

int – HTTP request byte size.

response_code

int – HTTP response code.

url

str – URL of original content.

version

int – cache format version.

DATA_TYPE = 'firefox:cache:record'

class plaso.parsers.firefox_cache.FirefoxCacheParser

Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 1 files (Firefox 31 or earlier).

DESCRIPTION = 'Parser for Firefox Cache version 1 files (Firefox 31 or earlier).'

FIREFOX_CACHE_CONFIG

alias of firefox_cache_config

NAME = 'firefox_cache'

ParseFileObject(parser_mediator, file_object)

Parses a Firefox cache file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.fseventsd module

Parsers for MacOS fseventsd files.

class plaso.parsers.fseventsd.FseventsdEventData

Bases: plaso.containers.events.EventData

MacOS file system event (fseventsd) event data

event_identifier

int – the record event identifier.

flags

int – flags stored in the record.

node_identifier

int – file system node identifier related to the file system event.

path

str – path recorded in the fseventsd record.

DATA_TYPE = 'macos:fseventsd:record'

class plaso.parsers.fseventsd.FseventsdParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for fseventsd files.

This parser supports both version 1 and version 2 fseventsd files. Refer to http://nicoleibrahim.com/apple-fsevents-forensics/ for details.

DESCRIPTION = 'Parser for fseventsd files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'fsevents'

ParseFileObject(parser_mediator, file_object)

Parses an fseventsd file.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the header cannot be parsed.

plaso.parsers.gdrive_synclog module

Parser for Google Drive Sync log files.

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData

Bases: plaso.containers.events.EventData

Google Drive Sync log event data.

log_level

str – logging level of event such as “DEBUG”, “WARN”, “INFO”, “ERROR”.

message

str – log message.

pid

int – process identifier of process which logged event.

source_code

str – filename:line_number of source file which logged event.

thread

str – colon-separated thread identifier in the form “ID:name” which logged event.

time

str – date and time of the log entry event with timezone offset.

DATA_TYPE = 'gdrive_sync:log:line'

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParser

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Google Drive Sync log files.

BUFFER_SIZE = 16384

DESCRIPTION = 'Parser for Google Drive Sync log files.'

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)} W:(ABCD...)} W:(0123...)} W:(0123...)} W:(0123...)} SkipTo:({StringEnd | {{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)}})} [lineEnd]...})]

NAME = 'gdrive_synclog'

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – identifier of the structure of tokens.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)

Verify that this file is a Google Drive Sync log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• lines (str) – one or more lines from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.hachoir module

Parser that uses Hachoir to extract metadata.

class plaso.parsers.hachoir.HachoirEventData

Bases: plaso.containers.events.EventData

Hachoir event data.

metadata

dict[str, object] – hachoir metadata.

DATA_TYPE = 'metadata:hachoir'

class plaso.parsers.hachoir.HachoirParser

Bases: plaso.parsers.interface.FileObjectParser

Parser that uses Hachoir.

DESCRIPTION = 'Parser that wraps Hachoir.'

NAME = 'hachoir'

ParseFileObject(parser_mediator, file_object)

Parses a file-like object using Hachoir.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.iis module

Parser for Windows IIS Log file.

More documentation on fields can be found here: https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx

class plaso.parsers.iis.IISEventData

Bases: plaso.containers.events.EventData

IIS log event data.

Attributes:

DATA_TYPE = 'iis:log:line'

class plaso.parsers.iis.WinIISParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses a Microsoft IIS log file.

BLANK = "-"

COMMENT = {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}

DATE_METADATA = {"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}}

DATE_TIME = {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}

DESCRIPTION = 'Parser for Microsoft IIS log files.'

FIELDS_METADATA = {"Fields:" SkipTo:(LineEnd)}

INTEGER = {W:(0123...) | "-"}

IP_ADDRESS = {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}

LINE_STRUCTURES = [('comment', {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}), ('logline', {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}})]

LOG_LINE_6_0 = {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}}

NAME = 'winiis'

PORT = {W:(0123...) | "-"}

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – structure parsed from the log file.

Raises:

ParseError – when the structure type is unknown.

QUERY = {W:(ABCD...) | "-"}

URI = {W:(ABCD...) | "-"}

VerifyStructure(parser_mediator, line)

Verify that this file is an IIS log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line was successfully parsed.

Return type:

bool

WORD = {W:(ABCD...) | "-"}

plaso.parsers.interface module

The parsers and plugins interface classes.

class plaso.parsers.interface.BaseFileEntryFilter

Bases: object

File entry filter interface.

Match(file_entry)

Determines if a file entry matches the filter.

Parameters:file_entry (dfvfs.FileEntry) – a file entry. Returns:True if the file entry matches the filter. Return type:bool

class plaso.parsers.interface.BaseParser

Bases: object

The parser interface.

DESCRIPTION = ''

classmethod DeregisterPlugin(plugin_class)

Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters:plugin_class (type) – class of the plugin. Raises:KeyError – if plugin class is not set for the corresponding name.

EnablePlugins(plugin_includes)

Enables parser plugins.

Parameters:plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

FILTERS = frozenset()

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:a format specification or None if not available. Return type:FormatSpecification

classmethod GetPluginObjectByName(plugin_name)

Retrieves a specific plugin object by its name.

Parameters:plugin_name (str) – name of the plugin. Returns:a plugin object or None if not available. Return type:BasePlugin

classmethod GetPlugins()

Retrieves the registered plugins.

Yields:tuple[str, type] – name and class of the plugin.

NAME = 'base_parser'

classmethod RegisterPlugin(plugin_class)

Registers a plugin class.

The plugin classes are identified based on their lower case name.

Parameters:plugin_class (type) – class of the plugin. Raises:KeyError – if plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)

Registers plugin classes.

Parameters:plugin_classes (list[type]) – classes of plugins. Raises:KeyError – if plugin class is already set for the corresponding name.

classmethod SupportsPlugins()

Determines if a parser supports plugins.

Returns:True if the parser supports plugins. Return type:bool

class plaso.parsers.interface.FileEntryParser

Bases: plaso.parsers.interface.BaseParser

The file entry parser interface.

Parse(parser_mediator)

Parsers the file entry and extracts event objects.

Parameters:parser_mediator (ParserMediator) – a parser mediator. Raises:UnableToParseFile – when the file cannot be parsed.

ParseFileEntry(parser_mediator, file_entry)

Parses a file entry.

Parameters:

• parser_mediator (ParserMediator) – a parser mediator.
• file_entry (dfvfs.FileEntry) – a file entry to parse.

Raises:

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.interface.FileNameFileEntryFilter(filename)

Bases: plaso.parsers.interface.BaseFileEntryFilter

File name file entry filter.

Match(file_entry)

Determines if a file entry matches the filter.

Parameters:file_entry (dfvfs.FileEntry) – a file entry. Returns:True if the file entry matches the filter. Return type:bool

class plaso.parsers.interface.FileObjectParser

Bases: plaso.parsers.interface.BaseParser

The file-like object parser interface.

Parse(parser_mediator, file_object)

Parses a single file-like object.

Parameters:

• parser_mediator (ParserMediator) – a parser mediator.
• file_object (dvfvs.FileIO) – a file-like object to parse.

Raises:

UnableToParseFile – when the file cannot be parsed.

ParseFileObject(parser_mediator, file_object)

Parses a file-like object.

Parameters:

• parser_mediator (ParserMediator) – a parser mediator.
• file_object (dvfvs.FileIO) – a file-like object to parse.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.java_idx module

Parser for Java Cache IDX files.

class plaso.parsers.java_idx.JavaIDXEventData

Bases: plaso.containers.events.EventData

Java IDX cache file event data.

idx_version

str – format version of IDX file.

ip_address

str – IP address of the host in the URL.

url

str – URL of the downloaded file.

DATA_TYPE = 'java:download:idx'

class plaso.parsers.java_idx.JavaIDXParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Java WebStart Cache IDX files.

There are five structures defined. 6.02 files had one generic section that retained all data. From 6.03, the file went to a multi-section format where later sections were optional and had variable-lengths. 6.03, 6.04, and 6.05 files all have their main data section (#2) begin at offset 128. The short structure is because 6.05 files deviate after the 8th byte. So, grab the first 8 bytes to ensure it’s valid, get the file version, then continue on with the correct structures.

DESCRIPTION = 'Parser for Java WebStart Cache IDX files.'

NAME = 'java_idx'

ParseFileObject(parser_mediator, file_object)

Parses a Java WebStart Cache IDX file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dvfvs.FileIO) – a file-like object to parse.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.logger module

The parsers sub module logger.

plaso.parsers.mac_appfirewall module

This file contains a appfirewall.log (MacOS Firewall) parser.

class plaso.parsers.mac_appfirewall.MacAppFirewallLogEventData

Bases: plaso.containers.events.EventData

MacOS Firewall log event data.

action

str – action.

agent

str – agent that save the log.

computer_name

str – name of the computer.

process_name

str – name of the entity that tried do the action.

status

str – saved status action.

DATA_TYPE = 'mac:appfirewall:line'

class plaso.parsers.mac_appfirewall.MacAppFirewallParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse text based on appfirewall.log file.

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})

DESCRIPTION = 'Parser for appfirewall.log files.'

FIREWALL_LINE = {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}

LINE_STRUCTURES = [('logline', {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")})]

NAME = 'mac_appfirewall_log'

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – identifier of the structure of tokens.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")}

VerifyStructure(parser_mediator, line)

Verify that this file is a Mac AppFirewall log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.mac_keychain module

Parser for MacOS Keychain files.

class plaso.parsers.mac_keychain.KeychainApplicationRecordEventData

Bases: plaso.containers.events.EventData

MacOS keychain application password record event data.

account_name

str – name of the account.

comments

str – comments added by the user.

entry_name

str – name of the entry.

ssgp_hash

str – password/certificate hash formatted as an hexadecimal string.

text_description

str – description.

DATA_TYPE = 'mac:keychain:application'

class plaso.parsers.mac_keychain.KeychainDatabaseColumn

Bases: object

MacOS keychain database column.

attribute_data_type

int – attribute (data) type.

attribute_identifier

int – attribute identifier.

attribute_name

str – attribute name.

class plaso.parsers.mac_keychain.KeychainDatabaseTable

Bases: object

MacOS keychain database table.

columns

list[KeychainDatabaseColumn] – columns.

records

list[dict[str, str]] – records.

relation_identifier

int – relation identifier.

relation_name

str – relation name.

class plaso.parsers.mac_keychain.KeychainInternetRecordEventData

Bases: plaso.containers.events.EventData

MacOS keychain internet record event data.

account_name

str – name of the account.

comments

str – comments added by the user.

entry_name

str – name of the entry.

protocol

str – internet protocol used, for example “https”.

ssgp_hash

str – password/certificate hash formatted as an hexadecimal string.

text_description

str – description.

type_protocol

str – sub-protocol used, for example “form”.

where

str – domain name or IP where the password is used.

DATA_TYPE = 'mac:keychain:internet'

class plaso.parsers.mac_keychain.KeychainParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Keychain files.

DESCRIPTION = 'Parser for MacOS Keychain files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'mac_keychain'

ParseFileObject(parser_mediator, file_object)

Parses a MacOS keychain file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.mac_securityd module

This file contains the MacOS securityd log plaintext parser.

Also see:

http://opensource.apple.com/source/Security/Security-55471/sec/securityd/

class plaso.parsers.mac_securityd.MacOSSecuritydLogEventData

Bases: plaso.containers.events.EventData

MacOS securityd log event data.

caller

str – caller, consists of two hex numbers.

facility

str – facility.

level

str – priority level.

message

str – message.

security_api

str – name of securityd function.

sender_pid

int – process identifier of the sender.

sender

str – name of the sender.

DATA_TYPE = 'mac:securityd:line'

class plaso.parsers.mac_securityd.MacOSSecuritydLogParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the securityd file that contains logs from the security daemon.

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})

DESCRIPTION = 'Parser for MacOS securityd log files.'

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")})]

NAME = 'mac_securityd'

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")}

SECURITYD_LINE = {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}

VerifyStructure(parser_mediator, line)

Verify that this file is a securityd log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.mac_wifi module

This file contains the wifi.log (MacOS) parser.

class plaso.parsers.mac_wifi.MacWifiLogEventData

Bases: plaso.containers.events.EventData

Mac Wifi log event data.

action

str – known WiFI action, for example connected to an AP, configured, etc. If the action is not known, the value is the message of the log (text variable).

agent

str – name and identifier of process that generated the log message.

function

str – name of function that generated the log message.

text

str – log message

DATA_TYPE = 'mac:wifilog:line'

class plaso.parsers.mac_wifi.MacWifiLogParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse text based on wifi.log file.

DESCRIPTION = 'Parser for MacOS wifi.log files.'

LINE_STRUCTURES = [('header', {Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) "***Starting Up***"}), ('turned_over_header', {Group:({{W:(ABCD...,abcd...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Combine:({{{W:(0123...) W:(0123...)} "logfile turned over"} LineEnd})}), ('known_function_logline', {{{{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) {{"<" Combine:({"airportd" !W:(>)})} ">"}} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"} SkipTo:(lineEnd)}), ('logline', {{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) ~{{{{{"<" Combine:({"airportd" !W:(>)})} ">"} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"}}} SkipTo:(lineEnd)})]

NAME = 'macwifi'

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

THREE_DIGITS = W:(0123...)

THREE_LETTERS = W:(ABCD...)

VerifyStructure(parser_mediator, line)

Verify that this file is a Mac Wifi log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.mactime module

Parser for the Sleuthkit (TSK) bodyfile or mactime format.

The format specifications can be read here:

http://wiki.sleuthkit.org/index.php?title=Body_file

class plaso.parsers.mactime.MactimeEventData

Bases: plaso.containers.events.EventData

Mactime event data.

filename

str – name of the file.

inode

int – “inode” of the file. Note that inode is an overloaded term in the context of mactime and used for MFT entry index values as well.

md5

str – MD5 hash of the file content, formatted as a hexadecimal string.

mode_as_string

str – protection mode.

offset

int – number of the corresponding line.

size

int – size of the file content.

user_gid

int – user group identifier (GID).

user_sid

str – user security identifier (SID).

DATA_TYPE = 'fs:mactime:line'

class plaso.parsers.mactime.MactimeParser(encoding=None)

Bases: plaso.parsers.dsv_parser.DSVParser

SleuthKit bodyfile parser.

COLUMNS = ['md5', 'name', 'inode', 'mode_as_string', 'uid', 'gid', 'size', 'atime', 'mtime', 'ctime', 'btime']

DELIMITER = b'|'

DESCRIPTION = 'Parser for SleuthKit version 3 bodyfiles.'

NAME = 'mactime'

ParseRow(parser_mediator, row_offset, row)

Parses a line of the log file and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row_offset (int) – number of the corresponding line.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)

Verifies if a line of the file is in the expected format.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.manager module

The parsers and plugins manager.

class plaso.parsers.manager.ParsersManager

Bases: object

The parsers and plugins manager.

classmethod CreateSignatureScanner(specification_store)

Creates a signature scanner for format specifications with signatures.

Parameters:specification_store (FormatSpecificationStore) – format specifications with signatures. Returns:signature scanner. Return type:pysigscan.scanner

classmethod DeregisterParser(parser_class)

Deregisters a parser class.

The parser classes are identified based on their lower case name.

Parameters:parser_class (type) – parser class (subclass of BaseParser). Raises:KeyError – if parser class is not set for the corresponding name.

classmethod GetFormatsWithSignatures(parser_filter_expression=None)

Retrieves the format specifications that have signatures.

This method will create a specification store for parsers that define a format specification with signatures and a list of parser names for those that do not.

Parameters:parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins. Returns:containing:

• FormatSpecificationStore: format specifications with signaures.

• list[str[: remaining parser names that do not have a format

  specification with signatures.

Return type:tuple

classmethod GetNamesOfParsersWithPlugins()

Retrieves the names of all parsers with plugins.

Returns:names of all parsers with plugins. Return type:list[str]

classmethod GetParserAndPluginNames(parser_filter_expression=None)

Retrieves the parser and parser plugin names.

Parameters:parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins. Returns:parser and parser plugin names. Return type:list[str]

classmethod GetParserObjectByName(parser_name)

Retrieves a specific parser object by its name.

Parameters:parser_name (str) – name of the parser. Returns:parser object or None. Return type:BaseParser

classmethod GetParserObjects(parser_filter_expression=None)

Retrieves the parser objects.

Parameters:parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins. Returns:parsers per name. Return type:dict[str, BaseParser]

classmethod GetParserPluginsInformation(parser_filter_expression=None)

Retrieves the parser plugins information.

Parameters:parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins. Returns:pairs of parser plugin names and descriptions. Return type:list[tuple[str, str]]

classmethod GetParsers(parser_filter_expression=None)

Retrieves the registered parsers and plugins.

Retrieves a dictionary of all registered parsers and associated plugins from a parser filter string. The filter string can contain direct names of parsers, presets or plugins. The filter string can also negate selection if prepended with an exclamation point, e.g.: “foo,!foo/bar” would include parser foo but not include plugin bar. A list of specific included and excluded plugins is also passed to each parser’s class.

The three types of entries in the filter string:

• name of a parser: this would be the exact name of a single parser to include (or exclude), e.g. foo;
• name of a preset, e.g. win7: the presets are defined in plaso/parsers/presets.py;
• name of a plugin: if a plugin name is included the parent parser will be included in the list of registered parsers;

Parameters:

parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.

Yields:

tuple – containing:

• str: name of the parser:
• type: parser class (subclass of BaseParser).

classmethod GetParsersInformation()

Retrieves the parsers information.

Returns:parser names and descriptions. Return type:list[tuple[str, str]]

classmethod GetPresetForOperatingSystem(operating_system, operating_system_product, operating_system_version)

Determines the preset for a specific operating system.

Parameters:

• operating_system (str) – operating system for example “Windows”. This should be one of the values in definitions.OPERATING_SYSTEMS.
• operating_system_product (str) – operating system product for example “Windows XP” as determined by preprocessing.
• operating_system_version (str) – operating system version for example “5.1” as determined by preprocessing.

Returns:

parser filter preset, where None represents all parsers and plugins.

Return type:

str

classmethod RegisterParser(parser_class)

Registers a parser class.

The parser classes are identified based on their lower case name.

Parameters:parser_class (type) – parser class (subclass of BaseParser). Raises:KeyError – if parser class is already set for the corresponding name.

classmethod RegisterParsers(parser_classes)

Registers parser classes.

The parser classes are identified based on their lower case name.

Parameters:parser_classes (list[type]) – parsers classes (subclasses of BaseParser). Raises:KeyError – if parser class is already set for the corresponding name.

plaso.parsers.mcafeeav module

Parser for McAfee Anti-Virus Logs.

McAfee AV uses 4 logs to track when scans were run, when virus databases were updated, and when files match the virus database.

class plaso.parsers.mcafeeav.McafeeAVEventData

Bases: plaso.containers.events.EventData

McAfee AV Log event data.

action

str – action.

filename

str – filename.

rule

str – rule.

status

str – status.

trigger_location

str – trigger location.

username

str – username.

DATA_TYPE = 'av:mcafee:accessprotectionlog'

class plaso.parsers.mcafeeav.McafeeAccessProtectionParser(encoding=None)

Bases: plaso.parsers.dsv_parser.DSVParser

Parses the McAfee AV Access Protection Log.

COLUMNS = ['date', 'time', 'status', 'username', 'filename', 'trigger_location', 'rule', 'action']

DELIMITER = b'\t'

DESCRIPTION = 'Parser for McAfee AV Access Protection log files.'

NAME = 'mcafee_protection'

ParseRow(parser_mediator, row_offset, row)

Parses a line of the log file and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row_offset (int) – line number of the row.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)

Verifies if a line of the file is in the expected format.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.mediator module

The parser mediator.

class plaso.parsers.mediator.ParserMediator(storage_writer, knowledge_base, preferred_year=None, resolver_context=None, temporary_directory=None)

Bases: object

Parser mediator.

last_activity_timestamp

int – timestamp received that indicates the last time activity was observed. The last activity timestamp is updated when the mediator produces an attribute container, such as an event source. This timestamp is used by the multi processing worker process to indicate the last time the worker was known to be active. This information is then used by the foreman to detect workers that are not responding (stalled).

AddEventAttribute(attribute_name, attribute_value)

Adds an attribute that will be set on all events produced.

Setting attributes using this method will cause events produced via this mediator to have an attribute with the provided name set with the provided value.

Parameters:

• attribute_name (str) – name of the attribute to add.
• attribute_value (str) – value of the attribute to add.

Raises:

KeyError – if the event attribute is already set.

AppendToParserChain(plugin_or_parser)

Adds a parser or parser plugin to the parser chain.

Parameters:plugin_or_parser (BaseParser) – parser or parser plugin.

ClearEventAttributes()

Clears the extra event attributes.

ClearParserChain()

Clears the parser chain.

GetDisplayName(file_entry=None)

Retrieves the display name for a file entry.

Parameters:file_entry (Optional[dfvfs.FileEntry]) – file entry object, where None will return the display name of self._file_entry. Returns:human readable string that describes the path to the file entry. Return type:str Raises:ValueError – if the file entry is missing.

GetDisplayNameForPathSpec(path_spec)

Retrieves the display name for a path specification.

Parameters:path_spec (dfvfs.PathSpec) – path specification. Returns:human readable version of the path specification. Return type:str

GetEstimatedYear()

Retrieves an estimate of the year.

This function determines the year in the following manner: * see if the user provided a preferred year; * see if knowledge base defines a year e.g. derived from preprocessing; * determine the year based on the file entry metadata; * default to the current year;

Returns:estimated year. Return type:int

GetFileEntry()

Retrieves the active file entry.

Returns:file entry. Return type:dfvfs.FileEntry

GetFilename()

Retrieves the name of the active file entry.

Returns:name of the active file entry or None. Return type:str

GetLatestYear()

Retrieves the latest (newest) year for an event from a file.

This function tries to determine the year based on the file entry metadata, if that fails the current year is used.

Returns:year of the file entry or the current year. Return type:int

GetParserChain()

Retrieves the current parser chain.

Returns:parser chain. Return type:str

PopFromParserChain()

Removes the last added parser or parser plugin from the parser chain.

ProcessEvent(event, parser_chain=None, file_entry=None, query=None)

Processes an event before it written to the storage.

Parameters:

• event (EventObject|EventData) – event or event data.
• parser_chain (Optional[str]) – parsing chain up to this point.
• file_entry (Optional[dfvfs.FileEntry]) – file entry, where None will use the current file entry set in the mediator.
• query (Optional[str]) – query that was used to obtain the event.

Raises:

KeyError – if there’s an attempt to add a duplicate attribute value to the event.

ProduceEventSource(event_source)

Produces an event source.

Parameters:event_source (EventSource) – an event source. Raises:RuntimeError – when storage writer is not set.

ProduceEventWithEventData(event, event_data)

Produces an event.

Parameters:

• event (EventObject) – event.
• event_data (EventData) – event data.

Raises:

InvalidEvent – if the event timestamp value is not set or out of bounds.

ProduceExtractionError(message, path_spec=None)

Produces an extraction error.

Parameters:

• message (str) – message of the error.
• path_spec (Optional[dfvfs.PathSpec]) – path specification, where None will use the path specification of current file entry set in the mediator.

Raises:

RuntimeError – when storage writer is not set.

RemoveEventAttribute(attribute_name)

Removes an attribute from being set on all events produced.

Parameters:attribute_name (str) – name of the attribute to remove. Raises:KeyError – if the event attribute is not set.

ResetFileEntry()

Resets the active file entry.

SampleMemoryUsage(parser_name)

Takes a sample of the memory usage for profiling.

Parameters:parser_name (str) – name of the parser.

SampleStartTiming(parser_name)

Starts timing a CPU time sample for profiling.

Parameters:parser_name (str) – name of the parser.

SampleStopTiming(parser_name)

Stops timing a CPU time sample for profiling.

Parameters:parser_name (str) – name of the parser.

SetEventExtractionConfiguration(configuration)

Sets the event extraction configuration settings.

Parameters:configuration (EventExtractionConfiguration) – event extraction configuration.

SetFileEntry(file_entry)

Sets the active file entry.

Parameters:file_entry (dfvfs.FileEntry) – file entry.

SetInputSourceConfiguration(configuration)

Sets the input source configuration settings.

Parameters:configuration (InputSourceConfiguration) – input source configuration.

SetStorageWriter(storage_writer)

Sets the storage writer.

Parameters:storage_writer (StorageWriter) – storage writer.

SignalAbort()

Signals the parsers to abort.

StartProfiling(configuration, identifier, process_information)

Starts profiling.

Parameters:

• configuration (ProfilingConfiguration) – profiling configuration.
• identifier (str) – identifier of the profiling session used to create the sample filename.
• process_information (ProcessInfo) – process information.

StopProfiling()

Stops profiling.

abort

bool – True if parsing should be aborted.

codepage

str – codepage.

hostname

str – hostname.

knowledge_base

KnowledgeBase – knowledge base.

number_of_produced_errors

int – number of produced errors.

number_of_produced_event_sources

int – number of produced event sources.

number_of_produced_events

int – number of produced events.

operating_system

str – operating system or None if not set.

resolver_context

dfvfs.Context – resolver context.

temporary_directory

str – path of the directory for temporary files.

timezone

datetime.tzinfo – timezone.

year

int – year.

plaso.parsers.msiecf module

Parser for Microsoft Internet Explorer (MSIE) Cache Files (CF).

class plaso.parsers.msiecf.MSIECFLeakEventData

Bases: plaso.containers.events.EventData

MSIECF leak event data.

cached_filename

str – name of the cached file.

cached_file_size

int – size of the cached file.

cache_directory_index

int – index of the cache directory.

cache_directory_name

str – name of the cache directory.

recovered

bool – True if the item was recovered.

DATA_TYPE = 'msiecf:leak'

class plaso.parsers.msiecf.MSIECFParser

Bases: plaso.parsers.interface.FileObjectParser

Parses MSIE Cache Files (MSIECF).

DESCRIPTION = 'Parser for MSIE Cache Files (MSIECF) also known as index.dat.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'msiecf'

ParseFileObject(parser_mediator, file_object)

Parses a MSIE Cache File (MSIECF) file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.msiecf.MSIECFRedirectedEventData

Bases: plaso.containers.events.EventData

MSIECF redirected event data.

recovered

bool – True if the item was recovered.

url

str – location URL.

DATA_TYPE = 'msiecf:redirected'

class plaso.parsers.msiecf.MSIECFURLEventData

Bases: plaso.containers.events.EventData

MSIECF URL event data.

cached_filename

str – name of the cached file.

cached_file_size

int – size of the cached file.

cache_directory_index

int – index of the cache directory.

cache_directory_name

str – name of the cache directory.

http_headers

str – HTTP headers.

number_of_hits

int – number of hits.

recovered

bool – True if the item was recovered.

url

str – location URL.

DATA_TYPE = 'msiecf:url'

plaso.parsers.ntfs module

Parser for NTFS metadata files.

class plaso.parsers.ntfs.NTFSFileStatEventData

Bases: plaso.containers.events.EventData

NTFS file system stat event data.

attribute_type

int – attribute type e.g. 0x00000030 which represents $FILE_NAME.

file_attribute_flags

int – NTFS file attribute flags.

file_reference

int – NTFS file reference.

file_system_type

str – file system type.

is_allocated

bool – True if the MFT entry is allocated (marked as in use).

name

str – name associated with the stat event, e.g. that of a $FILE_NAME attribute or None if not available.

parent_file_reference

int – NTFS file reference of the parent.

DATA_TYPE = 'fs:stat:ntfs'

class plaso.parsers.ntfs.NTFSMFTParser

Bases: plaso.parsers.interface.FileObjectParser

Parses a NTFS $MFT metadata file.

DESCRIPTION = 'Parser for NTFS $MFT metadata files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'mft'

ParseFileObject(parser_mediator, file_object)

Parses a NTFS $MFT metadata file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.ntfs.NTFSUSNChangeEventData

Bases: plaso.containers.events.EventData

NTFS USN change event data.

file_attribute_flags

int – NTFS file attribute flags.

filename

str – name of the file associated with the event.

file_reference

int – NTFS file reference.

file_system_type

str – file system type.

parent_file_reference

int – NTFS file reference of the parent.

update_reason_flags

int – update reason flags.

update_sequence_number

int – update sequence number.

update_source_flags

int – update source flags.

DATA_TYPE = 'fs:ntfs:usn_change'

class plaso.parsers.ntfs.NTFSUsnJrnlParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses a NTFS USN change journal.

DESCRIPTION = 'Parser for NTFS USN change journal ($UsnJrnl).'

NAME = 'usnjrnl'

ParseFileObject(parser_mediator, file_object)

Parses a NTFS $UsnJrnl metadata file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.olecf module

Parser for OLE Compound Files (OLECF).

class plaso.parsers.olecf.OLECFParser

Bases: plaso.parsers.interface.FileObjectParser

Parses OLE Compound Files (OLECF).

DESCRIPTION = 'Parser for OLE Compound Files (OLECF).'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'olecf'

ParseFileObject(parser_mediator, file_object)

Parses an OLE Compound File (OLECF) file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.opera module

Parsers for Opera Browser history files.

class plaso.parsers.opera.OperaGlobalHistoryEventData

Bases: plaso.containers.events.EventData

Opera global history entry data.

description

str – description.

popularity_index

int – popularity index.

title

str – title.

url

str – URL.

DATA_TYPE = 'opera:history:entry'

class plaso.parsers.opera.OperaGlobalHistoryParser

Bases: plaso.parsers.interface.FileObjectParser

Parses the Opera global_history.dat file.

DESCRIPTION = 'Parser for Opera global_history.dat files.'

NAME = 'opera_global'

ParseFileObject(parser_mediator, file_object)

Parses an Opera global history file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.opera.OperaTypedHistoryEventData

Bases: plaso.containers.events.EventData

Opera typed history entry data.

entry_selection

str – information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

entry_type

str – information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

url

str – typed URL or hostname.

DATA_TYPE = 'opera:history:typed_entry'

class plaso.parsers.opera.OperaTypedHistoryParser

Bases: plaso.parsers.interface.FileObjectParser

Parses the Opera typed_history.xml file.

DESCRIPTION = 'Parser for Opera typed_history.xml files.'

NAME = 'opera_typed_history'

ParseFileObject(parser_mediator, file_object)

Parses an Opera typed history file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.oxml module

This file contains a parser for OXML files (i.e. MS Office 2007+).

class plaso.parsers.oxml.OpenXMLEventData

Bases: plaso.containers.events.EventData

OXML event data.

app_version

str – version of application that created document.

author

str – name of author.

creating_app

str – name of application that created document.

doc_security

str – ???

hyperlinks_changed

bool – True if hyperlinks have changed.

i4

str – ???

last_saved_by

str – name of user that last saved the document.

links_up_to_date

bool – True if the links are up to date.

number_of_characters

int – number of characters without spaces in the document.

number_of_characters_with_spaces

int – number of characters including spaces in the document.

number_of_lines

int – number of lines in the document.

number_of_pages

int – number of pages in the document.

number_of_paragraphs

int – number of paragraphs in the document.

number_of_words

int – number of words in the document.

revision_number

int – revision number.

scale_crop

bool – True if crop to scale is enabled.

shared_doc

bool – True if document is shared.

template

str – name of template ???

total_time

str – ???

DATA_TYPE = 'metadata:openxml'

class plaso.parsers.oxml.OpenXMLParser

Bases: plaso.parsers.interface.FileObjectParser

Parse metadata from OXML files.

DESCRIPTION = 'Parser for OpenXML (OXML) files.'

NAME = 'openxml'

ParseFileObject(parser_mediator, file_object)

Parses an OXML file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.pe module

A parser for Portable Executable format files.

class plaso.parsers.pe.PEEventData

Bases: plaso.containers.events.EventData

Portable Executable (PE) event data.

dll_name

str – name of an imported DLL.

imphash

str – “Import Hash” of the pe file the event relates to. Also see: https://www.mandiant.com/blog/tracking-malware-import-hashing

pe_type

str – type of PE file the event relates to.

section_names

list[str] – names of the PE file’s sections.

DATA_TYPE = 'pe'

class plaso.parsers.pe.PEParser

Bases: plaso.parsers.interface.FileObjectParser

Parser for Portable Executable (PE) files.

DESCRIPTION = 'Parser for Portable Executable (PE) files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

NAME = 'pe'

ParseFileObject(parser_mediator, file_object)

Parses a Portable Executable (PE) file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.plist module

This file contains the Property List (Plist) Parser.

Plaso’s engine calls PlistParser when it encounters Plist files to be processed.

class plaso.parsers.plist.PlistParser

Bases: plaso.parsers.interface.FileObjectParser

Parses binary and text plist plist files.

The Plaso engine calls parsers by their Parse() method. This parser’s Parse() has GetTopLevel() which deserializes plist files using the biplist library and calls plugins (PlistPlugin) registered through the interface by their Process() to produce event objects.

Plugins are how this parser understands the content inside a plist file, each plugin holds logic specific to a particular plist file. See the interface and plist_plugins/ directory for examples of how plist plugins are implemented.

DESCRIPTION = 'Parser for binary and text plist files.'

GetTopLevel(file_object)

Returns the deserialized content of a plist as a dictionary object.

Parameters:file_object (dfvfs.FileIO) – a file-like object to parse. Returns:contents of the plist. Return type:dict[str, object] Raises:UnableToParseFile – when the file cannot be parsed.

NAME = 'plist'

ParseFileObject(parser_mediator, file_object)

Parses a plist file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.pls_recall module

Parser for PL/SQL Developer Recall files.

class plaso.parsers.pls_recall.PlsRecallEventData

Bases: plaso.containers.events.EventData

PL/SQL Recall event data.

database_name

str – name of the database.

query

str – PL/SQL query.

sequence_number

int – sequence number.

username

str – username used to query.

DATA_TYPE = 'PLSRecall:event'

class plaso.parsers.pls_recall.PlsRecallParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse PL/SQL Recall files.

This parser is based on the Delphi definition of the data type:

TRecallRecord = packed record

Sequence: Integer; TimeStamp: TDateTime; Username: array[0..30] of Char; Database: array[0..80] of Char; Text: array[0..4000] of Char;

end;

Delphi TDateTime is a little-endian 64-bit floating-point value without time zone information.

DESCRIPTION = 'Parser for PL/SQL Recall files.'

NAME = 'pls_recall'

ParseFileObject(parser_mediator, file_object)

Parses a PLSRecall.dat file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.plugins module

This file contains basic interface for plugins within Plaso.

This library serves a basis for all plugins in Plaso, whether that are Windows registry plugins, SQLite plugins or any other parsing plugins.

This is provided as a separate file to make it easier to inherit in other projects that may want to use the Plaso plugin system.

class plaso.parsers.plugins.BasePlugin

Bases: object

A plugin is a lightweight parser that makes use of a common data structure.

When a data structure is common amongst several artifacts or files a plugin infrastructure can be written to make writing parsers simpler. The goal of a plugin is have only a single parser that understands the data structure that can call plugins that have specialized knowledge of certain structures.

An example of this is a SQLite database. A plugin can be written that has knowledge of certain database, such as Chrome history, or Skype history, etc. This can be done without needing to write a full fledged parser that needs to re-implement the data structure knowledge. A single parser can be created that calls the plugins to see if it knows that particular database.

Another example is Windows registry, there a single parser that can parse the registry can be made and the job of a single plugin is to parse a particular registry key. The parser can then read a registry key and compare it to a list of available plugins to see if it can be parsed.

DESCRIPTION = ''

NAME = 'base_plugin'

Process(parser_mediator, **kwargs)

Evaluates if this is the correct plugin and processes data accordingly.

The purpose of the process function is to evaluate if this particular plugin is the correct one for the particular data structure at hand. This function accepts one value to use for evaluation, that could be a registry key, list of table names for a database or any other criteria that can be used to evaluate if the plugin should be run or not.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• kwargs (dict[str, object]) – Depending on the plugin they may require different sets of arguments to be able to evaluate whether or not this is the correct plugin.

Raises:

ValueError – when there are unused keyword arguments.

URLS = []

UpdateChainAndProcess(parser_mediator, **kwargs)

Wrapper for Process() to synchronize the parser chain.

This convenience method updates the parser chain object held by the mediator, transfers control to the plugin-specific Process() method, and updates the chain again once the processing is complete. It provides a simpler parser API in most cases.

Parameters:parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

plugin_name

Return the name of the plugin.

class plaso.parsers.plugins.BasePluginCache

Bases: object

A generic cache for parser plugins.

GetResults(attribute, default_value=None)

Retrieves a cached attribute.

Parameters:

• attribute (str) – name of the cached attribute.
• default_value (Optional[object]) – default value.

Returns:

value of the cached attribute or default value if the cache

does not contain the attribute.

Return type:

object

plaso.parsers.popcontest module

This file contains the Popularity Contest log file parser in plaso.

Information updated 20 january 2014. From Debian Package Popularity Contest Avery Pennarun <apenwarr@debian.org>

From ‘http://www.unix.com/man-page/Linux/8/popularity-contest/’:

The popularity-contest command gathers information about Debian pack- ages installed on the system, and prints the name of the most recently used executable program in that package as well as its last-accessed time (atime) and last-attribute-changed time (ctime) to stdout.

When aggregated with the output of popularity-contest from many other systems, this information is valuable because it can be used to deter- mine which Debian packages are commonly installed, used, or installed and never used. This helps Debian maintainers make decisions such as which packages should be installed by default on new systems.

The resulting statistic is available from the project home page http://popcon.debian.org/.

Normally, popularity-contest is run from a cron(8) job, /etc/cron.daily/popularity-contest, which automatically submits the results to Debian package maintainers (only once a week) according to the settings in /etc/popularity-contest.conf and /usr/share/popularity- contest/default.conf.

From ‘http://popcon.ubuntu.com/README’:

The popularity-contest output looks like this:

POPULARITY-CONTEST-0 TIME:914183330 ID:b92a5fc1809d8a95a12eb3a3c8445 914183333 909868335 grep /bin/fgrep 914183333 909868280 findutils /usr/bin/find 914183330 909885698 dpkg-awk /usr/bin/dpkg-awk 914183330 909868577 gawk /usr/bin/gawk […more lines…] END-POPULARITY-CONTEST-0 TIME:914183335

The first and last lines allow you to put more than one set of popularity-contest results into a single file and then split them up easily later.

The rest of the lines are package entries, one line for each package installed on your system. They have the format:

<atime> <ctime> <package-name> <mru-program> <tag>

<package-name> is the name of the Debian package that contains <mru-program>. <mru-program> is the most recently used program, static library, or header (.h) file in the package.

<atime> and <ctime> are the access time and creation time of the <mru-program> on your disk, respectively, represented as the number of seconds since midnight GMT on January 1, 1970 (i.e. in Unix time_t format). Linux updates <atime> whenever you open the file; <ctime> was set when you first installed the package.

<tag> is determined by popularity-contest depending on <atime>, <ctime>, and the current date. <tag> can be RECENT-CTIME, OLD, or NOFILES.

RECENT-CTIME means that atime is very close to ctime; it’s impossible to tell whether the package was used recently or not, since <atime> is also updated when <ctime> is set. Normally, this happens because you have recently upgraded the package to a new version, resetting the <ctime>.

OLD means that the <atime> is more than a month ago; you haven’t used the package for more than a month.

NOFILES means that no files in the package seemed to be programs, so <atime>, <ctime>, and <mru-program> are invalid.’

REMARKS. The parser will generate events solely based on the <atime> field and not using <ctime>, to reduce the generation of (possibly many) useless events all with the same <ctime>. Indeed, that <ctime> will be probably get from file system and/or package management logs. The <ctime> will be reported in the log line.

class plaso.parsers.popcontest.PopularityContestEventData

Bases: plaso.containers.events.EventData

Popularity Contest event data.

mru

str – recently used app/library from package.

package

str – installed packaged name, which the mru belongs to.

record_tag

str – popularity context tag.

DATA_TYPE = 'popularity_contest:log:event'

class plaso.parsers.popcontest.PopularityContestParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse popularity contest log files.

DESCRIPTION = 'Parser for popularity contest log files.'

FOOTER = {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)}

HEADER = {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}

LINE_STRUCTURES = [('logline', {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(
...)} [quoted string, starting with < ending with >]}}}), ('header', {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}), ('footer', {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)})]

LOG_LINE = {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(
...)} [quoted string, starting with < ending with >]}}}

MRU = W:(
...)

NAME = 'popularity_contest'

PACKAGE = W:(0123...)

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – structure parsed from the log file.

Raises:

ParseError – when the structure type is unknown.

TAG = quoted string, starting with < ending with >

VerifyStructure(parser_mediator, line)

Verify that this file is a Popularity Contest log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line was successfully parsed.

Return type:

bool

class plaso.parsers.popcontest.PopularityContestSessionEventData

Bases: plaso.containers.events.EventData

Popularity Contest session event data.

details

str – version and host architecture.

hostid

str – host uuid.

session

int – session number.

status

str – session status, either “start” or “end”.

DATA_TYPE = 'popularity_contest:session:event'

plaso.parsers.presets module

The parser preset categories.

plaso.parsers.recycler module

Parser for Windows Recycle files, INFO2 and $I/$R pairs.

class plaso.parsers.recycler.WinRecycleBinEventData

Bases: plaso.containers.events.EventData

Windows Recycle Bin event data.

drive_number

int – drive number.

file_size

int – file size.

original_filename

str – filename.

record_index

int – index of the record on which the event is based.

short_filename

str – short filename.

DATA_TYPE = 'windows:metadata:deleted_item'

class plaso.parsers.recycler.WinRecycleBinParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows $Recycle.Bin $I files.

DESCRIPTION = 'Parser for Windows $Recycle.Bin $I files.'

NAME = 'recycle_bin'

ParseFileObject(parser_mediator, file_object)

Parses a Windows Recycle.Bin metadata ($I) file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.recycler.WinRecyclerInfo2Parser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows Recycler INFO2 file.

DESCRIPTION = 'Parser for Windows Recycler INFO2 files.'

NAME = 'recycle_bin_info2'

ParseFileObject(parser_mediator, file_object)

Parses a Windows Recycler INFO2 file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.safari_cookies module

Parser for Safari Binary Cookie files.

class plaso.parsers.safari_cookies.BinaryCookieParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Safari Binary Cookie files.

DESCRIPTION = 'Parser for Safari Binary Cookie files.'

classmethod GetFormatSpecification()

Retrieves the format specification for parser selection.

Returns:format specification. Return type:FormatSpecification

NAME = 'binary_cookies'

ParseFileObject(parser_mediator, file_object)

Parses a Safari binary cookie file-like object.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• file_object (dfvfs.FileIO) – file-like object to be parsed.

Raises:

UnableToParseFile – when the file cannot be parsed, this will signal the event extractor to apply other parsers.

class plaso.parsers.safari_cookies.SafariBinaryCookieEventData

Bases: plaso.containers.events.EventData

Safari binary cookie event data.

cookie_name

str – cookie name.

cookie_value

str – cookie value.

flags

int – cookie flags.

path

str – path of the cookie.

url

str – URL where this cookie is valid.

DATA_TYPE = 'safari:cookie:entry'

plaso.parsers.santa module

Santa log (santa.log) parser.

class plaso.parsers.santa.SantaExecutionEventData

Bases: plaso.containers.events.EventData

Santa execution event data.

action

str – action recorded by Santa.

decision

str – if the process was allowed or blocked.

reason

str – reason behind santa decision to execute or block a process.

process_hash

str – SHA256 hash for the executed process.

certificate_hash

str – SHA256 hash for the certificate associated with the executed process.

certificate_common_name

str – certificate common name.

pid

str – process id for the process.

ppid

str – parent process id for the executed process.

uid

str – user id associated with the executed process.

user

str – user name associated with the executed process.

gid

str – group id associated with the executed process.

group

str – group name associated with the executed process.

mode

str – Santa execution mode, for example Monitor or Lockdown.

process_path

str – process file path.

process_arguments

str – executed process with its arguments.

DATA_TYPE = 'santa:execution'

class plaso.parsers.santa.SantaFileSystemEventData

Bases: plaso.containers.events.EventData

Santa file system event data.

action

str – event type recorded by Santa.

file_path

str – file path and name for WRITE/DELETE events.

file_new_path

str – new file path and name for RENAME events.

pid

str – process id for the process.

ppid

str – parent process id for the executed process.

process

str – process name.

process_path

str – process file path.

uid

str – user id associated with the executed process.

user

str – user name associated with the executed process.

gid

str – group id associated with the executed process.

group

str – group name associated with the executed process.

DATA_TYPE = 'santa:file_system_event'

class plaso.parsers.santa.SantaMountEventData

Bases: plaso.containers.events.EventData

Santa mount event data.

action

str – event type recorded by Santa.

mount

str – disk mount point.

volume

str – disk volume name.

bsd_name

str – disk BSD name.

fs

str – disk volume kind.

model

str – disk model.

serial

str – disk serial.

bus

str – device protocol.

dmg_path

str – DMG file path.

appearance

str – disk appearance date.

DATA_TYPE = 'santa:diskmount'

class plaso.parsers.santa.SantaParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses santa log files

DESCRIPTION = 'Santa Parser'

LINE_STRUCTURES = [('execution_line', {{{{{{{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "EXEC"} Suppress:("|")} {{Suppress:("decision=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("reason=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("sha256=") SkipTo:("|")} Suppress:("|")}} [{{Suppress:("cert_sha256=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("cert_cn=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("quarantine_url=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("mode=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{Suppress:("args=") SkipTo:(lineEnd)}]}), ('file_system_event_line', {{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} {{"WRITE" ^ "RENAME"} ^ "DELETE"}} Suppress:("|")} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{{Suppress:("newpath=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("process=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("processpath=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('mount_line', {{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("fs=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("model=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("serial=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bus=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("dmgpath=") SkipTo:("|")} Suppress:("|")}} {Suppress:("appearance=") SkipTo:(lineEnd)}}), ('umount_line', {{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKDISAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('quota_exceeded_line', {Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) "*** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***"})]

MAX_LINE_LENGTH = 16384

NAME = 'santa'

ParseRecord(parser_mediator, key, structure)

Parses a matching entry.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – elements parsed from the file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)

Verifies that this is a santa log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.sccm module

Parser for SCCM Logs.

class plaso.parsers.sccm.SCCMLogEventData

Bases: plaso.containers.events.EventData

SCCM log event data.

component

str – component.

text

str – text.

DATA_TYPE = 'software_management:sccm:log'

class plaso.parsers.sccm.SCCMParser

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for Windows System Center Configuration Manager (SCCM) logs.

BUFFER_SIZE = 16384

DESCRIPTION = 'Parser for SCCM logs files.'

LINE_GRAMMAR_BASE = {{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}

LINE_GRAMMAR_OFFSET = {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}

LINE_STRUCTURES = [('log_entry', {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_at_end', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd}), ('log_entry_offset', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_offset_at_end', {{{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd})]

NAME = 'sccm'

ParseRecord(parser_mediator, key, structure)

Parse the record and return an SCCM log event object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)

Verifies whether content corresponds to an SCCM log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• lines (str) – one or more lines from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.selinux module

This file contains SELinux audit.log file parser.

Information updated 16 january 2013.

An example:

type=AVC msg=audit(1105758604.519:420): avc: denied { getattr } for pid=5962 comm=”httpd” path=”/home/auser/public_html” dev=sdb2 ino=921135

Where msg=audit(1105758604.519:420) contains the number of seconds since January 1, 1970 00:00:00 UTC and the number of milliseconds after the dot e.g. seconds: 1105758604, milliseconds: 519.

The number after the timestamp (420 in the example) is a ‘serial number’ that can be used to correlate multiple logs generated from the same event.

References:

• http://selinuxproject.org/page/NB_AL
• http://blog.commandlinekungfu.com/2010/08/episode-106-epoch-fail.html
• http://www.redhat.com/promo/summit/2010/presentations/

taste_of_training/Summit_2010_SELinux.pdf

class plaso.parsers.selinux.SELinuxLogEventData

Bases: plaso.containers.events.EventData

SELinux log event data.

audit_type

str – audit type.

body

str – body of the log line.

pid

int – process identifier (PID) that created the SELinux log line.

DATA_TYPE = 'selinux:line'

class plaso.parsers.selinux.SELinuxParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for SELinux audit.log files.

DESCRIPTION = 'Parser for SELinux audit.log files.'

LINE_STRUCTURES = [('line', Dict:({{Group:({{"type" Suppress:("=")} {W:(ABCD...) ^ Re:('UNKNOWN\\[[0-9]+\\]')}}) Group:({{{{{{{"msg" Suppress:("=audit(")} W:(0123...)} Suppress:(".")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:("):")})} Group:({Empty rest of line})}))]

NAME = 'selinux'

ParseRecord(parser_mediator, key, structure)

Parses a structure of tokens derived from a line of a text file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)

Verifies if a line from a text file is in the expected format.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.skydrivelog module

This file contains SkyDrive log file parser in plaso.

class plaso.parsers.skydrivelog.SkyDriveLogEventData

Bases: plaso.containers.events.EventData

SkyDrive log event data.

detail

str – details.

log_level

str – log level.

module

str – name of the module that generated the log messsage.

source_code

str – source file and line number that generated the log message.

DATA_TYPE = 'skydrive:log:line'

class plaso.parsers.skydrivelog.SkyDriveLogParser

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses SkyDrive log files.

DESCRIPTION = 'Parser for OneDrive (or SkyDrive) log files.'

IGNORE_FIELD = Suppress:(!W:(,))

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} !W:(,)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} SkipTo:({{StringEnd | {Suppress:("######") "Logging started."}} | {{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}})} [lineEnd]...}), ('header', {{{{{{{{Suppress:("######") "Logging started."} "Version="} W:(0123...)} Suppress:("StartSystemTime:")} Group:({{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} W:(0123...)} Suppress:(".")} W:(0123...)})} "StartLocalTime:"} SkipTo:(lineEnd)} lineEnd})]

MSEC = W:(0123...)

NAME = 'skydrive_log'

ParseRecord(parser_mediator, key, structure)

Parse each record structure and return an EventObject if applicable.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – identifier of the structure of tokens.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)

Verify that this file is a SkyDrive log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• lines (str) – one or more lines from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

class plaso.parsers.skydrivelog.SkyDriveOldLogEventData

Bases: plaso.containers.events.EventData

SkyDrive old log event data.

log_level

str – log level.

source_code

str – source file and line number that generated the log message.

text

str – log message.

DATA_TYPE = 'skydrive:log:old:line'

class plaso.parsers.skydrivelog.SkyDriveOldLogParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse SkyDrive old log files.

DESCRIPTION = 'Parser for OneDrive (or SkyDrive) old log files.'

LINE_STRUCTURES = [('logline', {{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}}) Combine:({{{{!W:(:) ":"} W:(0123...)} "!"} W:(0123...)})} {{Suppress:("(") SkipTo:(")")} Suppress:(")")}} ":"} SkipTo:(lineEnd)}), ('no_header_single_line', {{~{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})} [Suppress:("->")]} SkipTo:(lineEnd)})]

NAME = 'skydrive_log_old'

ParseRecord(parser_mediator, key, structure)

Parse each record structure and return an EventObject if applicable.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – identifier of the structure of tokens.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)

Verify that this file is a SkyDrive old log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.sophos_av module

Sophos Anti-Virus log (SAV.txt) parser.

References https://community.sophos.com/kb/en-us/110923

class plaso.parsers.sophos_av.SophosAVLogEventData

Bases: plaso.containers.events.EventData

Sophos Anti-Virus log event data.

text

str – Sophos Anti-Virus log message.

DATA_TYPE = 'sophos:av:log'

class plaso.parsers.sophos_av.SophosAVLogParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses Anti-Virus logs (SAV.txt) files.

DESCRIPTION = 'Parser for Anti-Virus log (SAV.txt) files.'

LINE_STRUCTURES = [('logline', {Group:({{{W:(0123...) W:(0123...)} W:(0123...)} {{W:(0123...) W:(0123...)} W:(0123...)}}) SkipTo:(lineEnd)})]

MAX_LINE_LENGTH = 4096

NAME = 'sophos_av'

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – identifier of the structure of tokens.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)

Verify that this file is a Sophos Anti-Virus log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.sqlite module

SQLite parser.

class plaso.parsers.sqlite.SQLiteCache

Bases: plaso.parsers.plugins.BasePluginCache

Cache for storing results of SQL queries.

CacheQueryResults(sql_results, attribute_name, key_name, column_names)

Build a dictionary object based on a SQL command.

This function will take a SQL command, execute it and for each resulting row it will store a key in a dictionary.

An example:

sql_results = A SQL result object after executing the
              SQL command: 'SELECT foo, bla, bar FROM my_table'
attribute_name = 'all_the_things'
key_name = 'foo'
column_names = ['bla', 'bar']

Results from running this against the database: ‘first’, ‘stuff’, ‘things’ ‘second’, ‘another stuff’, ‘another thing’

This will result in a dictionary object being created in the cache, called ‘all_the_things’ and it will contain the following value:

all_the_things = {
    'first': ['stuff', 'things'],
    'second': ['another_stuff', 'another_thing'],
    'third': ['single_thing']}

Parameters:

• sql_results (sqlite3.Cursor) – result after executing a SQL command on a database.
• attribute_name (str) – attribute name in the cache to store results to. This will be the name of the dictionary attribute.
• key_name (str) – name of the result field that should be used as a key in the resulting dictionary that is created.
• column_names (list[str]) – of column names that are stored as values to the dictionary. If this list has only one value in it the value will be stored directly, otherwise the value will be a list containing the extracted results based on the names provided in this list.

GetRowCache(query)

Retrieves the row cache for a specific query.

The row cache is a set that contains hashes of values in a row. The row cache is used to find duplicate row when a database and a database with a WAL file is parsed.

Parameters:query (str) – query. Returns:hashes of the rows that have been parsed. Return type:set

class plaso.parsers.sqlite.SQLiteDatabase(filename, temporary_directory=None)

Bases: object

SQLite database.

schema

dict[str, str] – schema as an SQL query per table name, for example {‘Users’: ‘CREATE TABLE Users (“id” INTEGER PRIMARY KEY, …)’}.

Close()

Closes the database connection and cleans up the temporary file.

Open(file_object, wal_file_object=None)

Opens a SQLite database file.

Since pysqlite cannot read directly from a file-like object a temporary copy of the file is made. After creating a copy the database file this function sets up a connection with the database and determines the names of the tables.

Parameters:

• file_object (dfvfs.FileIO) – file-like object.
• wal_file_object (Optional[dfvfs.FileIO]) – file-like object for the Write-Ahead Log (WAL) file.

Raises:

• IOError – if the file-like object cannot be read.
• sqlite3.DatabaseError – if the database cannot be parsed.
• ValueError – if the file-like object is missing.

Query(query)

Queries the database.

Parameters:query (str) – SQL query. Returns:results. Return type:sqlite3.Cursor Raises:sqlite3.DatabaseError – if querying the database fails.

SCHEMA_QUERY = 'SELECT tbl_name, sql FROM sqlite_master WHERE type = "table" AND tbl_name != "xp_proc" AND tbl_name != "sqlite_sequence"'

tables

list[str] – names of all the tables.

class plaso.parsers.sqlite.SQLiteParser

Bases: plaso.parsers.interface.FileEntryParser

Parses SQLite database files.

DESCRIPTION = 'Parser for SQLite database files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:a format specification or None if not available. Return type:FormatSpecification

NAME = 'sqlite'

ParseFileEntry(parser_mediator, file_entry)

Parses a SQLite database file entry.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• file_entry (dfvfs.FileEntry) – file entry to be parsed.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.symantec module

This file contains a Symantec parser in plaso.

class plaso.parsers.symantec.SymantecEventData

Bases: plaso.containers.events.EventData

Symantec event data.

access

str – access.

action0

str – action0.

action1

str – action1.

action1_status

str – action1 status.

action2

str – action2.

action2_status

str – action2 status.

address

str – address.

backup_id

str – backup identifier.

cat

str – category.

cleaninfo

str – clean information.

clientgroup

str – client group.

compressed

str – compressed.

computer

str – computer.

definfo

str – definfo.

defseqnumber

str – def sequence number.

deleteinfo

str – delete information.

depth

str – depth.

description

str – description.

domain_guid

str – domain identifier (GUID).

domainname

str – domain name.

err_code

str – error code.

event_data

str – event data.

event

str – event.

extra

str – extra.

file

str – file.

flags

str – flags.

groupid

str – group identifier.

guid

str – guid.

license_expiration_dt

str – license expiration date.

license_feature_name

str – license feature name.

license_feature_ver

str – license feature ver.

license_fulfillment_id

str – license fulfillment identifier.

license_lifecycle

str – license lifecycle.

license_seats_delta

str – license seats delta.

license_seats

str – license seats.

license_seats_total

str – license seats total.

license_serial_num

str – license serial number.

license_start_dt

str – license start date.

logger

str – logger.

login_domain

str – login domain.

log_session_guid

str – log session identifier (GUID).

macaddr

str – MAC address.

new_ext

str – new ext.

ntdomain

str – ntdomain.

offset

str – offset.

parent

str – parent.

quarfwd_status

str – quarfwd status.

remote_machine_ip

str – remote machine IP address.

remote_machine

str – remote machine.

scanid

str – scan identifier.

snd_status

str – snd status.

status

str – status.

still_infected

str – still infected.

time

str – time.

user

str – user.

vbin_id

str – vbin identifier.

vbin_session_id

str – vbin session identifier.

version

str – version.

virus_id

str – virus identifier.

virus

str – virus.

virustype

str – virustype.

DATA_TYPE = 'av:symantec:scanlog'

class plaso.parsers.symantec.SymantecParser(encoding=None)

Bases: plaso.parsers.dsv_parser.DSVParser

Parses Symantec AV Corporate Edition and Endpoint Protection log files.

COLUMNS = ['time', 'event', 'cat', 'logger', 'computer', 'user', 'virus', 'file', 'action1', 'action2', 'action0', 'virustype', 'flags', 'description', 'scanid', 'new_ext', 'groupid', 'event_data', 'vbin_id', 'virus_id', 'quarfwd_status', 'access', 'snd_status', 'compressed', 'depth', 'still_infected', 'definfo', 'defseqnumber', 'cleaninfo', 'deleteinfo', 'backup_id', 'parent', 'guid', 'clientgroup', 'address', 'domainname', 'ntdomain', 'macaddr', 'version:', 'remote_machine', 'remote_machine_ip', 'action1_status', 'action2_status', 'license_feature_name', 'license_feature_ver', 'license_serial_num', 'license_fulfillment_id', 'license_start_dt', 'license_expiration_dt', 'license_lifecycle', 'license_seats_total', 'license_seats', 'err_code', 'license_seats_delta', 'status', 'domain_guid', 'log_session_guid', 'vbin_session_id', 'login_domain', 'extra']

DESCRIPTION = 'Parser for Symantec Anti-Virus log files.'

NAME = 'symantec_scanlog'

ParseRow(parser_mediator, row_offset, row)

Parses a line of the log file and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row_offset (int) – line number of the row.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)

Verifies if a line of the file is in the expected format.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.syslog module

Parser for syslog formatted log files

class plaso.parsers.syslog.SyslogCommentEventData

Bases: plaso.containers.events.EventData

Syslog comment event data.

body

str – message body.

DATA_TYPE = 'syslog:comment'

class plaso.parsers.syslog.SyslogLineEventData(data_type='syslog:line')

Bases: plaso.containers.events.EventData

Syslog line event data.

body

str – message body.

hostname

str – hostname of the reporter.

pid

str – process identifier of the reporter.

reporter

str – reporter.

severity

str – severity.

DATA_TYPE = 'syslog:line'

class plaso.parsers.syslog.SyslogParser

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses syslog formatted log files

DESCRIPTION = 'Syslog Parser'

EnablePlugins(plugin_includes)

Enables parser plugins.

Parameters:plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note that the default plugin is handled separately.

LINE_STRUCTURES = [('syslog_line', {{{{{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} W:(0123...)} W:(0123...)} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [{{Suppress:("<") W:(0123...)} Suppress:(">")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_line', {{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} "kernel"} Suppress:(":")} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_comment', {{{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} Suppress:(":")} Suppress:("---")} SkipTo:(" ---")} Suppress:("---")} LineEnd}), ('chromeos_syslog_line', {{{{{{{Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]}) EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG} W:(0123...)} [Suppress:(":")]} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd})]

NAME = 'syslog'

ParseRecord(parser_mediator, key, structure)

Parses a matching entry.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – elements parsed from the file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)

Verifies that this is a syslog-formatted file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• lines (str) – one or more lines from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.systemd_journal module

Parser for Systemd journal files.

class plaso.parsers.systemd_journal.SystemdJournalEventData

Bases: plaso.containers.events.EventData

Systemd journal event data.

body

str – message body.

hostname

str – hostname.

pid

int – process identifier (PID).

reporter

str – reporter.

DATA_TYPE = 'systemd:journal'

class plaso.parsers.systemd_journal.SystemdJournalParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Systemd Journal files.

DESCRIPTION = 'Parser for Systemd Journal files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'systemd_journal'

ParseFileObject(parser_mediator, file_object)

Parses a Systemd journal file-like object.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the header cannot be parsed.

plaso.parsers.text_parser module

This file contains a class to provide a parsing framework to plaso.

This class contains a base framework class for parsing file-like objects, and also some implementations that extend it to provide a more comprehensive parser.

plaso.parsers.text_parser.ConvertTokenToInteger(string, location, tokens)

Pyparsing parse action callback to convert a token into an integer value.

Parameters:

• string (str) – original string.
• location (int) – location in the string where the token was found.
• tokens (list[str]) – tokens.

Returns:

integer value or None.

Return type:

int

class plaso.parsers.text_parser.EncodedTextReader(encoding, buffer_size=2048)

Bases: object

Encoded text reader.

ReadLine(file_object)

Reads a line.

Parameters:file_object (dfvfs.FileIO) – file-like object. Returns:line read from the lines buffer. Return type:str

ReadLines(file_object)

Reads lines into the lines buffer.

Parameters:file_object (dfvfs.FileIO) – file-like object.

Reset()

Resets the encoded text reader.

SkipAhead(file_object, number_of_characters)

Skips ahead a number of characters.

Parameters:

• file_object (dfvfs.FileIO) – file-like object.
• number_of_characters (int) – number of characters.

plaso.parsers.text_parser.PyParseIntCast(string, location, tokens)

Return an integer from a string.

This is a pyparsing callback method that converts the matched string into an integer.

The method modifies the content of the tokens list and converts them all to an integer value.

Parameters:

• string (str) – original string.
• location (int) – location in the string where the match was made.
• tokens (list[str]) – extracted tokens, where the string to be converted is stored.

plaso.parsers.text_parser.PyParseJoinList(string, location, tokens)

Return a joined token from a list of tokens.

This is a callback method for pyparsing setParseAction that modifies the returned token list to join all the elements in the list to a single token.

Parameters:

• string (str) – original string.
• location (int) – location in the string where the match was made.
• tokens (list[str]) – extracted tokens, where the string to be converted is stored.

plaso.parsers.text_parser.PyParseRangeCheck(lower_bound, upper_bound)

Verify that a number is within a defined range.

This is a callback method for pyparsing setParseAction that verifies that a read number is within a certain range.

To use this method it needs to be defined as a callback method in setParseAction with the upper and lower bound set as parameters.

Parameters:

• lower_bound (int) – lower bound of the range.
• upper_bound (int) – upper bound of the range.

Returns:

callback method that can be used by pyparsing setParseAction.

Return type:

Function

class plaso.parsers.text_parser.PyparsingConstants

Bases: object

Constants for pyparsing-based parsers.

COMMENT_LINE_HASH = {"#" SkipTo:(LineEnd)}

DATE = Group:({{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)})

DATE_ELEMENTS = {{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)}

DATE_TIME = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})

DATE_TIME_MSEC = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})

FOUR_DIGITS = W:(0123...)

HYPHEN = Suppress:("-")

INTEGER = W:(0123...)

IPV4_ADDRESS = {W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}}

IPV4_OCTET = W:(0123...)

IPV6_ADDRESS = W:(:012...)

IP_ADDRESS = {{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)}

MONTH = W:(ABCD...,abcd...)

ONE_OR_TWO_DIGITS = W:(0123...)

PID = W:(0123...)

THREE_DIGITS = W:(0123...)

THREE_LETTERS = W:(ABCD...)

TIME = Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})

TIME_ELEMENTS = {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}

TIME_MSEC = {{Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}) Suppress:(".")} W:(0123...)}

TIME_MSEC_ELEMENTS = {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}

TWO_DIGITS = W:(0123...)

class plaso.parsers.text_parser.PyparsingMultiLineTextParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Multi line text parser interface based on pyparsing.

BUFFER_SIZE = 2048

ParseFileObject(parser_mediator, file_object)

Parses a text file-like object using a pyparsing definition.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – tokens from a parsed log line.

Returns:

event or None.

Return type:

EventObject

VerifyStructure(parser_mediator, lines)

Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for this particular parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• lines (str) – one or more lines from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

class plaso.parsers.text_parser.PyparsingSingleLineTextParser

Bases: plaso.parsers.interface.FileObjectParser

Single line text parser interface based on pyparsing.

LINE_STRUCTURES = []

MAXIMUM_CONSECUTIVE_LINE_FAILURES = 20

MAX_LINE_LENGTH = 400

ParseFileObject(parser_mediator, file_object)

Parses a text file-like object using a pyparsing definition.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – tokens from a parsed log line.

VerifyStructure(parser_mediator, line)

Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for this particular parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – single line from the text file.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.trendmicroav module

Parser for Trend Micro Antivirus logs.

Trend Micro uses two log files to track the scans (both manual/scheduled and real-time) and the web reputation (network scan/filtering).

Currently only the first log is supported.

class plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser(encoding='cp1252')

Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Virus Detection Log.

COLUMNS = ['date', 'time', 'threat', 'action', 'scan_type', 'unused1', 'path', 'filename', 'unused2', 'timestamp', 'unused3', 'unused4']

DESCRIPTION = 'Parser for Trend Micro Office Scan Virus Detection log files.'

MIN_COLUMNS = 8

NAME = 'trendmicro_vd'

ParseRow(parser_mediator, row_offset, row)

Parses a line of the log file and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row_offset (int) – line number of the row.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)

Verifies if a line of the file is in the expected format.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

class plaso.parsers.trendmicroav.OfficeScanWebReputationParser(encoding='cp1252')

Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Web Reputation detection log.

COLUMNS = ('date', 'time', 'block_mode', 'url', 'group_code', 'group_name', 'credibility_rating', 'policy_identifier', 'application_name', 'credibility_score', 'ip', 'threshold', 'timestamp', 'unused')

DESCRIPTION = 'Parser for Trend Micro Office Web Reputation log files.'

MIN_COLUMNS = 12

NAME = 'trendmicro_url'

ParseRow(parser_mediator, row_offset, row)

Parses a line of the log file and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row_offset (int) – line number of the row.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)

Verifies if a line of the file is in the expected format.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

class plaso.parsers.trendmicroav.TrendMicroAVEventData

Bases: plaso.containers.events.EventData

Trend Micro AV Log event data.

action

str – action.

filename

str – filename.

path

str – path.

scan_type

str – scan_type.

threat

str – threat.

DATA_TYPE = 'av:trendmicro:scan'

class plaso.parsers.trendmicroav.TrendMicroBaseParser(encoding='cp1252')

Bases: plaso.parsers.dsv_parser.DSVParser

Common code for parsing Trend Micro log files.

The file format is reminiscent of CSV, but is not quite the same; the delimiter is a three-character sequence and there is no provision for quoting or escaping.

COLUMNS = ()

DELIMITER = '<;>'

MIN_COLUMNS = None

class plaso.parsers.trendmicroav.TrendMicroUrlEventData

Bases: plaso.containers.events.EventData

Trend Micro Web Reputation Log event data.

block_mode

str – operation mode.

url

str – accessed URL.

group_code

str – group code.

group_name

str – group name.

credibility_rating

int – credibility rating.

credibility_score

int – credibility score.

policy_identifier

int – policy identifier.

application_name

str – application name.

ip

str – IP address.

threshold

int – threshold value.

DATA_TYPE = 'av:trendmicro:webrep'

plaso.parsers.utmp module

Parser for Linux utmp files.

class plaso.parsers.utmp.UtmpEventData

Bases: plaso.containers.events.EventData

utmp event data.

exit_status

int – exit status.

hostname

str – hostname or IP address.

ip_address

str – IP address from the connection.

pid

int – process identifier (PID).

terminal_identifier

int – inittab identifier.

terminal

str – type of terminal.

type

int – type of login.

username

str – user name.

DATA_TYPE = 'linux:utmp:event'

class plaso.parsers.utmp.UtmpParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Linux libc6 utmp files.

DESCRIPTION = 'Parser for Linux libc6 utmp files.'

NAME = 'utmp'

ParseFileObject(parser_mediator, file_object)

Parses an utmp file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.utmpx module

Parser for utmpx files.

class plaso.parsers.utmpx.UtmpxMacOSEventData

Bases: plaso.containers.events.EventData

MacOS utmpx event data.

hostname

str – hostname or IP address.

pid

int – process identifier (PID).

terminal

str – name of the terminal.

terminal_identifier

int – inittab identifier.

type

int – type of login.

username

str – user name.

DATA_TYPE = 'mac:utmpx:event'

class plaso.parsers.utmpx.UtmpxParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Mac OS X 10.5 utmpx files.

DESCRIPTION = 'Parser for Mac OS X 10.5 utmpx files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'utmpx'

ParseFileObject(parser_mediator, file_object)

Parses an UTMPX file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.winevt module

Parser for Windows EventLog (EVT) files.

class plaso.parsers.winevt.WinEvtParser

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows EventLog (EVT) files.

DESCRIPTION = 'Parser for Windows EventLog (EVT) files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'winevt'

ParseFileObject(parser_mediator, file_object)

Parses a Windows EventLog (EVT) file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

class plaso.parsers.winevt.WinEvtRecordEventData

Bases: plaso.containers.events.EventData

Windows EventLog (EVT) record event data.

computer_name

str – computer name stored in the event record.

event_category

int – event category.

event_identifier

int – event identifier.

event_type

int – event type.

facility

int – event facility.

message_identifier

int – event message identifier.

record_number

int – event record number.

recovered

bool – True if the record was recovered.

severity

int – event severity.

source_name

str – name of the event source.

strings

list[str] – event strings.

user_sid

str – user security identifier (SID) stored in the event record.

DATA_TYPE = 'windows:evt:record'

plaso.parsers.winevtx module

Parser for Windows XML EventLog (EVTX) files.

class plaso.parsers.winevtx.WinEvtxParser

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows XML EventLog (EVTX) files.

DESCRIPTION = 'Parser for Windows XML EventLog (EVTX) files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'winevtx'

ParseFileObject(parser_mediator, file_object)

Parses a Windows XML EventLog (EVTX) file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

class Rule(index, name)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

static __new__(index, name)

Create new instance of Rule(index, name)

__repr__()

Return a nicely formatted representation string

index

Alias for field number 0

name

Alias for field number 1

class plaso.parsers.winevtx.WinEvtxRecordEventData

Bases: plaso.containers.events.EventData

Windows XML EventLog (EVTX) record event data.

computer_name

str – computer name stored in the event record.

event_identifier

int – event identifier.

event_level

int – event level.

message_identifier

int – event message identifier.

record_number

int – event record number.

recovered

bool – True if the record was recovered.

source_name

str – name of the event source.

strings

list[str] – event strings.

strings_parsed

[dict] – parsed information from event strings.

user_sid

str – user security identifier (SID) stored in the event record.

xml_string

str – XML representation of the event.

DATA_TYPE = 'windows:evtx:record'

plaso.parsers.winfirewall module

Parser for Windows Firewall Log file.

class plaso.parsers.winfirewall.WinFirewallEventData

Bases: plaso.containers.events.EventData

Windows Firewall event data.

action

str – action taken.

protocol

str – IP protocol.

source_ip

str – source IP address.

dest_ip

str – destination IP address.

source_port

int – TCP or UDP source port.

dest_port

int – TCP or UDP destination port.

size

int – size of ???

flags

str – TCP flags.

tcp_seq

int – TCP sequence number.

tcp_ack

int – TCP ACK ???

tcp_win

int – TCP window size ???

icmp_type

int – ICMP type.

icmp_code

int – ICMP code.

info

str – ???

path

str – ???

DATA_TYPE = 'windows:firewall:log_entry'

class plaso.parsers.winfirewall.WinFirewallParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the Windows Firewall Log file.

DESCRIPTION = 'Parser for Windows Firewall Log files.'

LINE_STRUCTURES = [('comment', {"#" SkipTo:(LineEnd)}), ('logline', {{{{{{{{{{{{{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | Suppress:("-")}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}})]

NAME = 'winfirewall'

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – identifier of the structure of tokens.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)

Verify that this file is a firewall log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.winjob module

Parser for Windows Scheduled Task job files.

class plaso.parsers.winjob.WinJobEventData

Bases: plaso.containers.events.EventData

Windows Scheduled Task event data.

application

str – path to job executable.

description

str – description of the scheduled task.

parameters

str – application command line parameters.

trigger_type

int – trigger type.

username

str – username that scheduled the task.

working_directory

str – working directory of the scheduled task.

DATA_TYPE = 'windows:tasks:job'

class plaso.parsers.winjob.WinJobParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse Windows Scheduled Task files for job events.

DESCRIPTION = 'Parser for Windows Scheduled Task job (or At-job) files.'

NAME = 'winjob'

ParseFileObject(parser_mediator, file_object)

Parses a Windows job file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – a file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.winlnk module

Parser for Windows Shortcut (LNK) files.

class plaso.parsers.winlnk.WinLnkLinkEventData

Bases: plaso.containers.events.EventData

Windows Shortcut (LNK) link event data.

birth_droid_file_identifier

str – distributed link tracking brith droid file identifier.

birth_droid_volume_identifier

str – distributed link tracking brith droid volume identifier.

command_line_arguments

str – command line arguments.

description

str – description of the linked item.

drive_serial_number

int – drive serial number where the linked item resides.

drive_type

str – drive type where the linked item resided.

droid_file_identifier

str – distributed link tracking droid file identifier.

droid_volume_identifier

str – distributed link tracking droid volume identifier.

env_var_location

str – evironment variables loction.

file_attribute_flags

int – file attribute flags of the linked item.

file_size

int – size of the linked item.

icon_location

str – icon location.

link_target

str – shell item list of the link target.

local_path

str – local path of the linked item.

network_path

str – local path of the linked item.

relative_path

str – relative path.

volume_label

str – volume label where the linked item resided.

working_directory

str – working directory.

DATA_TYPE = 'windows:lnk:link'

class plaso.parsers.winlnk.WinLnkParser

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows Shortcut (LNK) files.

DESCRIPTION = 'Parser for Windows Shortcut (LNK) files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'lnk'

ParseFileLNKFile(parser_mediator, file_object, display_name)

Parses a Windows Shortcut (LNK) file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.
• display_name (str) – display name.

ParseFileObject(parser_mediator, file_object)

Parses a Windows Shortcut (LNK) file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winprefetch module

Parser for Windows Prefetch files.

class plaso.parsers.winprefetch.WinPrefetchExecutionEventData

Bases: plaso.containers.events.EventData

Windows Prefetch event data.

executable

str – executable filename.

format_version

int – format version.

mapped_files

list[str] – mapped filenames.

number_of_volumes

int – number of volumes.

path

str – path to the executable.

prefetch_hash

int – prefetch hash.

run_count

int – run count.

volume_device_paths

list[str] – volume device paths.

volume_serial_numbers

list[int] – volume serial numbers.

DATA_TYPE = 'windows:prefetch:execution'

class plaso.parsers.winprefetch.WinPrefetchParser

Bases: plaso.parsers.interface.FileObjectParser

A parser for Windows Prefetch files.

DESCRIPTION = 'Parser for Windows Prefetch files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

Returns:format specification. Return type:FormatSpecification

NAME = 'prefetch'

ParseFileObject(parser_mediator, file_object)

Parses a Windows Prefetch file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winreg module

Parser for Windows NT Registry (REGF) files.

class plaso.parsers.winreg.WinRegistryParser

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows NT Registry (REGF) files.

DESCRIPTION = 'Parser for Windows NT Registry (REGF) files.'

classmethod GetFormatSpecification()

Retrieves the format specification.

NAME = 'winreg'

ParseFileObject(parser_mediator, file_object)

Parses a Windows Registry file-like object.

Parameters:

• parser_mediator (ParserMediator) – parser mediator.
• file_object (dfvfs.FileIO) – a file-like object.

plaso.parsers.winrestore module

Parser for Windows Restore Point (rp.log) files.

class plaso.parsers.winrestore.RestorePointEventData

Bases: plaso.containers.events.EventData

Windows Restore Point event data.

description

str – description.

restore_point_event_type

str – restore point event type.

restore_point_type

str – restore point type.

sequence_number

str – sequence number.

DATA_TYPE = 'windows:restore_point:info'

class plaso.parsers.winrestore.RestorePointLogParser

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

A parser for Windows Restore Point (rp.log) files.

DESCRIPTION = 'Parser for Windows Restore Point (rp.log) files.'

FILTERS = frozenset({<plaso.parsers.interface.FileNameFileEntryFilter object>})

NAME = 'rplog'

ParseFileObject(parser_mediator, file_object)

Parses a Windows Restore Point (rp.log) log file-like object.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• file_object (dfvfs.FileIO) – file-like object.

Raises:

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.xchatlog module

This file contains XChat log file parser in plaso.

Information updated 24 July 2013.

The parser applies to XChat log files. Despite their apparent simplicity it’s not straightforward to manage every possible case. XChat tool allows users to specify how timestamp will be encoded (using the strftime function), by letting them to specify additional separators. This parser will accept only the simplest default English form of an XChat log file, as the following:

**** BEGIN LOGGING AT Mon Dec 31 21:11:55 2001
dec 31 21:11:55 --> You are now talking on #gugle
dec 31 21:11:55 --- Topic for #gugle is plaso, nobody knows what it means
dec 31 21:11:55 Topic for #gugle set by Kristinn
dec 31 21:11:55 --- Joachim gives voice to fpi
dec 31 21:11:55 *   XChat here
dec 31 21:11:58 <fpi> ola plas-ing guys!
dec 31 21:12:00 <Kristinn> ftw!

It could be managed the missing month/day case too, by extracting the month/day information from the header. But the parser logic would become intricate, since it would need to manage day transition, chat lines crossing the midnight. From there derives the last day of the year bug, since the parser will not manage that transition.

Moreover the strftime is locale-dependant, so month names, footer and headers can change, even inside the same log file. Being said that, the following will be the main logic used to parse the log files (note that the first header must be ‘**** BEGIN …’ otherwise file will be skipped).

1) Check for ‘****’ 1.1) If ‘BEGIN LOGGING AT’ (English) 1.1.1) Extract the YEAR 1.1.2) Generate new event start logging 1.1.3) set parsing = True 1.2) If ‘END LOGGING’ 1.2.1) If parsing, set parsing=False 1.2.2) If not parsing, log debug 1.2.3) Generate new event end logging 1.3) If not BEGIN|END we are facing a different language and we don’t now which language! If parsing is True, set parsing=False and log debug 2) Not ‘****’ so we are parsing a line 2.1) If parsing = True, try to parse line and generate event 2.2) If parsing = False, skip until next good header is found

References http://xchat.org

class plaso.parsers.xchatlog.XChatLogEventData

Bases: plaso.containers.events.EventData

XChat Log event data.

nickname

str – nickname.

text

str – text sent by nickname or other text (server, messages, etc.).

DATA_TYPE = 'xchat:log:line'

class plaso.parsers.xchatlog.XChatLogParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse XChat log files.

DESCRIPTION = 'Parser for XChat log files.'

LINE_STRUCTURES = [('logline', {{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) [quoted string, starting with < ending with >]} SkipTo:(lineEnd)}), ('header', {{Suppress:("****") Group:({{W:(0123...) W:(0123...)} W:(0123...)})} Group:({{{{Group:({{{{{{"Sun" | "Mon"} | "Tue"} | "Wed"} | "Thu"} | "Fri"} | "Sat"}) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} W:(0123...)})}), ('header_signature', "****")]

NAME = 'xchatlog'

ParseRecord(parser_mediator, key, structure)

Parses a log record structure and produces events.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – identifier of the structure of tokens.
• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)

Verify that this file is a XChat log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line is in the expected format, False if not.

Return type:

bool

plaso.parsers.xchatscrollback module

This file contains XChat scrollback log file parser in plaso.

Information updated 06 September 2013.

Besides the logging capability, the XChat IRC client has the option to record the text for opened tabs. So, when rejoining a particular channel and/or a particular conversation, XChat will display the last messages exchanged. This artifact could be present, if not disabled, even if normal logging is disabled.

From the XChat FAQ (http://xchatdata.net/Using/FAQ):

Q: ‘How do I keep text from previous sessions from being displayed when I join a channel?’ R: ‘Starting in XChat 2.8.4, XChat implemented the Scrollback feature which displays text from the last time you had a particular tab open. To disable this setting for all channels, Go to Settings -> Preferences -> Logging and uncheck Display scrollback from previous session. In XChat 2.8.6, XChat implemented both Per Channel Logging, and Per Channel Scrollbacks. If you are on 2.8.6 or newer, you can disable loading scrollback for just one particular tab name by right clicking on the tab name, selecting Settings, and then unchecking Reload scrollback’

The log file format differs from logging format, but it’s quite simple ‘T 1232315916 Python interface unloaded’ <T><space><decimal timestamp><space><text>< >

The time reported in the log is the number of seconds since January 1, 1970 00:00:00 UTC (from source code, time(0)). The <text> part could contain some ‘decorators’ (bold, underline, colors indication, etc.), so the parser should strip those control fields.

References http://xchat.org

class plaso.parsers.xchatscrollback.XChatScrollbackEventData

Bases: plaso.containers.events.EventData

XChat Scrollback line event data.

nickname

str – nickname.

text

str – text sent by nickname service messages.

DATA_TYPE = 'xchat:scrollback:line'

class plaso.parsers.xchatscrollback.XChatScrollbackParser

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses XChat scrollback log files.

DESCRIPTION = 'Parser for XChat scrollback log files.'

LINE_STRUCTURES = [('logline', {{Suppress:("T") W:(0123...)} SkipTo:(LineEnd)})]

LOG_LINE = {{Suppress:("T") W:(0123...)} SkipTo:(LineEnd)}

MSG_ENTRY = {[{{"<" SkipTo:(">")} ">"}] SkipTo:(LineEnd)}

MSG_ENTRY_NICK = [{{"<" SkipTo:(">")} ">"}]

MSG_ENTRY_TEXT = SkipTo:(LineEnd)

MSG_NICK = SkipTo:(">")

MSG_NICK_END = ">"

MSG_NICK_START = "<"

NAME = 'xchatscrollback'

ParseRecord(parser_mediator, key, structure)

Parses a log record structure.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – structure parsed from the log file.

STRIPPER = {Suppress:(W:(,0123...)) | Suppress:(W:(...))}

VerifyStructure(parser_mediator, line)

Verify that this file is a XChat scrollback log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• line (str) – line from a text file.

Returns:

True if the line was successfully parsed.

Return type:

bool

plaso.parsers.zsh_extended_history module

Parser for Zsh extended_history files.

The file format is described here: http://zsh.sourceforge.net/Doc/Release/Options.html#index-EXTENDEDHISTORY

class plaso.parsers.zsh_extended_history.ZshExtendedHistoryParser

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for Zsh extended_history files

DESCRIPTION = 'Parser for ZSH extended history files'

LINE_STRUCTURES = [('command', {{{{{{":" W:(0123...)} ":"} W:(0123...)} ";"} Re:('.+?(?=($|\\n:\\s\\d+:\\d+;))')} LineEnd})]

NAME = 'zsh_extended_history'

ParseRecord(parser_mediator, key, structure)

Parses a record and produces a Zsh history event.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• key (str) – name of the parsed structure.
• structure (pyparsing.ParseResults) – structure parsed from the log file.

Raises:

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)

Verifies whether content corresponds to a Zsh extended_history file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
• lines (str) – one or more lines from the text file.

Returns:

True if the line was successfully parsed.

Return type:

bool

class plaso.parsers.zsh_extended_history.ZshHistoryEventData

Bases: plaso.containers.events.EventData

Zsh history event data.

command

str – command that was run.

elapsed_seconds

int – number of seconds that the command took to execute.

DATA_TYPE = 'shell:zsh:history'

Module contents

This file imports Python modules that register parsers.

plaso.preprocessors package

Submodules

plaso.preprocessors.interface module

This file contains classes used for preprocessing in plaso.

class plaso.preprocessors.interface.ArtifactPreprocessorPlugin

Bases: object

The artifact preprocessor plugin interface.

The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.

ARTIFACT_DEFINITION_NAME = None

class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

File artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.

class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

File entry artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.

class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

File system artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.

Collect(knowledge_base, artifact_definition, searcher, file_system)

Collects values using a file artifact definition.

Parameters:

• knowledge_base (KnowledgeBase) – to fill with preprocessing information.
• artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
• searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
• file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises:

PreProcessFail – if the Windows Registry key or value cannot be read.

class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

Windows Registry key artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.

Collect(knowledge_base, artifact_definition, searcher)

Collects values using a Windows Registry value artifact definition.

Parameters:

• knowledge_base (KnowledgeBase) – to fill with preprocessing information.
• artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
• searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

Raises:

PreProcessFail – if the Windows Registry key or value cannot be read.

class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

Windows Registry value artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module

This file contains preprocessors for Linux.

class plaso.preprocessors.linux.LinuxDistributionPlugin

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux distribution plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease'

class plaso.preprocessors.linux.LinuxHostnamePlugin

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux hostname plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile'

class plaso.preprocessors.linux.LinuxIssueFilePlugin

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux issue file plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile'

class plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux standard base (LSB) release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease'

class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux systemd operating system release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease'

class plaso.preprocessors.linux.LinuxTimeZonePlugin

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

Linux time zone plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'

class plaso.preprocessors.linux.LinuxUserAccountsPlugin

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile'

plaso.preprocessors.logger module

The preprocessors sub module logger.

plaso.preprocessors.macos module

This file contains preprocessors for MacOS.

class plaso.preprocessors.macos.MacOSHostnamePlugin

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS hostname plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile'

class plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS keyboard layout plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile'

class plaso.preprocessors.macos.MacOSSystemVersionPlugin

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS system version information plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile'

class plaso.preprocessors.macos.MacOSTimeZonePlugin

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS time zone plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime'

class plaso.preprocessors.macos.MacOSUserAccountsPlugin

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles'

class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

Plist file artifact preprocessor plugin interface.

Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.

plaso.preprocessors.manager module

The preprocess plugins manager.

class plaso.preprocessors.manager.PreprocessPluginsManager

Bases: object

Preprocess plugins manager.

classmethod CollectFromFileSystem(artifacts_registry, knowledge_base, searcher, file_system)

Collects values from Windows Registry values.

Parameters:

• artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
• knowledge_base (KnowledgeBase) – to fill with preprocessing information.
• searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
• file_system (dfvfs.FileSystem) – file system to be preprocessed.

classmethod CollectFromWindowsRegistry(artifacts_registry, knowledge_base, searcher)

Collects values from Windows Registry values.

Parameters:

• artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
• knowledge_base (KnowledgeBase) – to fill with preprocessing information.
• searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

classmethod DeregisterPlugin(plugin_class)

Deregisters an preprocess plugin class.

Parameters:

plugin_class (type) – preprocess plugin class.

Raises:

• KeyError – if plugin class is not set for the corresponding name.
• TypeError – if the source type of the plugin class is not supported.

classmethod GetNames()

Retrieves the names of the registered artifact definitions.

Returns:registered artifact definitions names. Return type:list[str]

classmethod RegisterPlugin(plugin_class)

Registers an preprocess plugin class.

Parameters:

plugin_class (type) – preprocess plugin class.

Raises:

• KeyError – if plugin class is already set for the corresponding name.
• TypeError – if the source type of the plugin class is not supported.

classmethod RegisterPlugins(plugin_classes)

Registers preprocess plugin classes.

Parameters:plugin_classes (list[type]) – preprocess plugin classes. Raises:KeyError – if plugin class is already set for the corresponding name.

classmethod RunPlugins(artifacts_registry, file_system, mount_point, knowledge_base)

Runs the preprocessing plugins.

Parameters:

• artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
• file_system (dfvfs.FileSystem) – file system to be preprocessed.
• mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system.
• knowledge_base (KnowledgeBase) – to fill with preprocessing information.

plaso.preprocessors.windows module

This file contains preprocessors for Windows.

class plaso.preprocessors.windows.WindowsCodepagePlugin

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows codepage plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCodePage'

class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

Windows environment variable artifact preprocessor plugin interface.

class plaso.preprocessors.windows.WindowsHostnamePlugin

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows hostname plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsComputerName'

class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

Windows path environment variable plugin interface.

class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePlugin

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFiles% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFiles'

class plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePlugin

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFilesX86% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFilesX86'

class plaso.preprocessors.windows.WindowsSystemProductPlugin

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system product information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsProductName'

class plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePlugin

Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %SystemRoot% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableSystemRoot'

class plaso.preprocessors.windows.WindowsSystemVersionPlugin

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system version information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCurrentVersion'

class plaso.preprocessors.windows.WindowsTimeZonePlugin

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows time zone plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsTimezone'

class plaso.preprocessors.windows.WindowsUserAccountsPlugin

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows user account plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsRegistryProfiles'

class plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePlugin

Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %WinDir% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableWinDir'

Module contents

Preprocessor.

plaso.serializer package

Submodules

plaso.serializer.interface module

The serializer object interfaces.

class plaso.serializer.interface.AttributeContainerSerializer

Bases: object

Class that implements the attribute container serializer interface.

ReadSerialized(serialized)

Reads an attribute container from serialized form.

Parameters:serialized (object) – serialized form. Returns:attribute container. Return type:AttributeContainer

WriteSerialized(attribute_container)

Writes an attribute container to serialized form.

Parameters:attribute_container (AttributeContainer) – attribute container. Returns:serialized form. Return type:object

plaso.serializer.json_serializer module

The json serializer object implementation.

class plaso.serializer.json_serializer.JSONAttributeContainerSerializer

Bases: plaso.serializer.interface.AttributeContainerSerializer

Class that implements the json attribute container serializer.

classmethod ReadSerialized(json_string)

Reads an attribute container from serialized form.

Parameters:json_string (str) – JSON serialized attribute container. Returns:attribute container or None. Return type:AttributeContainer

classmethod ReadSerializedDict(json_dict)

Reads an attribute container from serialized dictionary form.

Parameters:json_dict (dict[str, object]) – JSON serialized objects. Returns:attribute container or None. Return type:AttributeContainer Raises:TypeError – if the serialized dictionary does not contain an AttributeContainer.

classmethod WriteSerialized(attribute_container)

Writes an attribute container to serialized form.

Parameters:attribute_container (AttributeContainer) – attribute container. Returns:A JSON string containing the serialized form. Return type:str

classmethod WriteSerializedDict(attribute_container)

Writes an attribute container to serialized form.

Parameters:attribute_container (AttributeContainer) – attribute container. Returns:JSON serialized objects. Return type:dict[str, object]

plaso.serializer.logger module

The serializer sub module logger.

Module contents

plaso.storage package

Subpackages

plaso.storage.fake package

Submodules

plaso.storage.fake.writer module

Fake storage writer for testing.

class plaso.storage.fake.writer.FakeStorageWriter(session, storage_type='session', task=None)

Bases: plaso.storage.interface.StorageWriter

Fake storage writer object.

analysis_reports

list[AnalysisReport] – analysis reports.

session_completion

SessionCompletion – session completion attribute container.

session_start

SessionStart – session start attribute container.

task_completion

TaskCompletion – task completion attribute container.

task_start

TaskStart – task start attribute container.

AddAnalysisReport(analysis_report)

Adds an analysis report.

Parameters:analysis_report (AnalysisReport) – analysis report. Raises:IOError – when the storage writer is closed.

AddError(error)

Adds an error.

Parameters:error (ExtractionError) – error. Raises:IOError – when the storage writer is closed.

AddEvent(event)

Adds an event.

Parameters:event (EventObject) – event. Raises:IOError – when the storage writer is closed or if the event data identifier type is not supported.

AddEventData(event_data)

Adds event data.

Parameters:event_data (EventData) – event data. Raises:IOError – when the storage writer is closed.

AddEventSource(event_source)

Adds an event source.

Parameters:event_source (EventSource) – event source. Raises:IOError – when the storage writer is closed.

AddEventTag(event_tag)

Adds an event tag.

Parameters:event_tag (EventTag) – event tag. Raises:IOError – when the storage writer is closed.

Close()

Closes the storage writer.

Raises:IOError – when the storage writer is closed.

CreateTaskStorage(task)

Creates a task storage.

Parameters:task (Task) – task. Returns:storage writer. Return type:FakeStorageWriter Raises:IOError – if the task storage already exists.

FinalizeTaskStorage(task)

Finalizes a processed task storage.

Parameters:task (Task) – task. Raises:IOError – if the task storage does not exist.

GetErrors()

Retrieves the errors.

Returns:error generator. Return type:generator(ExtractionError)

GetEventData()

Retrieves the event data.

Returns:event data generator. Return type:generator(EventData)

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters:identifier (AttributeContainerIdentifier) – event data identifier. Returns:event data or None if not available. Return type:EventData

GetEventSources()

Retrieves the event sources.

Returns:event source generator. Return type:generator(EventSource)

GetEventTags()

Retrieves the event tags.

Returns:event tag generator. Return type:generator(EventTags)

GetEvents()

Retrieves the events.

Yields:EventObject – event.

GetFirstWrittenEventSource()

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns:event source or None if there are no newly written ones. Return type:EventSource Raises:IOError – when the storage writer is closed.

GetNextWrittenEventSource()

Retrieves the next event source that was written after open.

Returns:event source or None if there are no newly written ones. Return type:EventSource Raises:IOError – when the storage writer is closed.

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Returns:event generator. Return type:generator(EventObject) Raises:IOError – when the storage writer is closed.

Open()

Opens the storage writer.

Raises:IOError – if the storage writer is already opened.

PrepareMergeTaskStorage(task)

Prepares a task storage for merging.

Parameters:task (Task) – task. Raises:IOError – if the task storage does not exist.

ReadPreprocessingInformation(knowledge_base)

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information. Raises:IOError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

RemoveProcessedTaskStorage(task)

Removes a processed task storage.

Parameters:task (Task) – task. Raises:IOError – if the task storage does not exist.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters:serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters:storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)

Writes preprocessing information.

Parameters:knowledge_base (KnowledgeBase) – used to store the preprocessing information. Raises:IOError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

WriteSessionCompletion(aborted=False)

Writes session completion information.

Parameters:aborted (Optional[bool]) – True if the session was aborted. Raises:IOError – if the storage type does not support writing a session completion or when the storage writer is closed.

WriteSessionStart()

Writes session start information.

Raises:IOError – if the storage type does not support writing a session start or when the storage writer is closed.

WriteTaskCompletion(aborted=False)

Writes task completion information.

Parameters:aborted (Optional[bool]) – True if the session was aborted. Raises:IOError – if the storage type does not support writing a task completion or when the storage writer is closed.

WriteTaskStart()

Writes task start information.

Raises:IOError – if the storage type does not support writing a task start or when the storage writer is closed.

Module contents

plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.merge_reader module

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)

Bases: plaso.storage.interface.StorageFileMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)

Reads attribute containers from a task storage file into the writer.

Parameters:

• callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.
• maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns:

True if the entire task storage file has been merged.

Return type:

bool

Raises:

• RuntimeError – if the add method for the active attribute container type is missing.
• OSError – if the task storage file cannot be deleted.

plaso.storage.sqlite.reader module

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)

Bases: plaso.storage.interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type='session')

Bases: plaso.storage.interface.BaseStorageFile

SQLite-based storage file.

format_version

int – storage format version.

serialization_format

str – serialization format.

storage_type

str – storage type.

AddAnalysisReport(analysis_report)

Adds an analysis report.

Parameters:analysis_report (AnalysisReport) – analysis report. Raises:IOError – when the storage file is closed or read-only.

AddError(error)

Adds an error.

Parameters:error (ExtractionError) – error. Raises:IOError – when the storage file is closed or read-only.

AddEvent(event)

Adds an event.

Parameters:event (EventObject) – event. Raises:IOError – when the storage file is closed or read-only or if the event data identifier type is not supported.

AddEventData(event_data)

Adds event data.

Parameters:event_data (EventData) – event data. Raises:IOError – when the storage file is closed or read-only.

AddEventSource(event_source)

Adds an event source.

Parameters:event_source (EventSource) – event source. Raises:IOError – when the storage file is closed or read-only.

AddEventTag(event_tag)

Adds an event tag.

Parameters:event_tag (EventTag) – event tag. Raises:IOError – when the storage file is closed or read-only or if the event identifier type is not supported.

AddEventTags(event_tags)

Adds event tags.

Parameters:event_tags (list[EventTag]) – event tags. Raises:IOError – when the storage file is closed or read-only or if the event tags cannot be serialized.

classmethod CheckSupportedFormat(path)

Checks if the storage file format is supported.

Parameters:path (str) – path to the storage file. Returns:True if the format is supported. Return type:bool

Close()

Closes the storage.

Raises:IOError – if the storage file is already closed.

GetAnalysisReports()

Retrieves the analysis reports.

Returns:analysis report generator. Return type:generator(AnalysisReport)

GetErrors()

Retrieves the errors.

Returns:error generator. Return type:generator(ExtractionError)

GetEventData()

Retrieves the event data.

Returns:event data generator. Return type:generator(EventData)

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters:identifier (SQLTableIdentifier) – event data identifier. Returns:event data or None if not available. Return type:EventData

GetEventSourceByIndex(index)

Retrieves a specific event source.

Parameters:index (int) – event source index. Returns:event source or None if not available. Return type:EventSource

GetEventSources()

Retrieves the event sources.

Returns:event source generator. Return type:generator(EventSource)

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters:identifier (SQLTableIdentifier) – event tag identifier. Returns:event tag or None if not available. Return type:EventTag

GetEventTags()

Retrieves the event tags.

Yields:EventTag – event tag.

GetEvents()

Retrieves the events.

Yields:EventObject – event.

GetNumberOfAnalysisReports()

Retrieves the number analysis reports.

Returns:number of analysis reports. Return type:int

GetNumberOfEventSources()

Retrieves the number event sources.

Returns:number of event sources. Return type:int

GetSessions()

Retrieves the sessions.

Yields:Session – session attribute container. Raises:IOError – if a stream is missing or there is a mismatch in session identifiers between the session start and completion attribute containers.

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Yields:EventObject – event.

HasAnalysisReports()

Determines if a store contains analysis reports.

Returns:True if the store contains analysis reports. Return type:bool

HasErrors()

Determines if a store contains extraction errors.

Returns:True if the store contains extraction errors. Return type:bool

HasEventTags()

Determines if a store contains event tags.

Returns:True if the store contains event tags. Return type:bool

Open(path=None, read_only=True, **unused_kwargs)

Opens the storage.

Parameters:

• path (Optional[str]) – path to the storage file.
• read_only (Optional[bool]) – True if the file should be opened in read-only mode.

Raises:

• IOError – if the storage file is already opened or if the database cannot be connected.
• ValueError – if path is missing.

ReadPreprocessingInformation(knowledge_base)

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

WritePreprocessingInformation(knowledge_base)

Writes preprocessing information.

Parameters:knowledge_base (KnowledgeBase) – contains the preprocessing information. Raises:IOError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.

WriteSessionCompletion(session_completion)

Writes session completion information.

Parameters:session_completion (SessionCompletion) – session completion information. Raises:IOError – when the storage file is closed or read-only.

WriteSessionStart(session_start)

Writes session start information.

Parameters:session_start (SessionStart) – session start information. Raises:IOError – when the storage file is closed or read-only.

WriteTaskCompletion(task_completion)

Writes task completion information.

Parameters:task_completion (TaskCompletion) – task completion information. Raises:IOError – when the storage file is closed or read-only.

WriteTaskStart(task_start)

Writes task start information.

Parameters:task_start (TaskStart) – task start information. Raises:IOError – when the storage file is closed or read-only.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type='session', task=None)

Bases: plaso.storage.interface.StorageFileWriter

SQLite-based storage file writer.

Module contents

Submodules

plaso.storage.event_heaps module

Heaps to sort events in chronological order.

class plaso.storage.event_heaps.BaseEventHeap

Bases: object

Event heap interface.

PopEvent()

Pops an event from the heap.

Returns:event. Return type:EventObject

PopEvents()

Pops events from the heap.

Yields:EventObject – event.

PushEvent(event)

Pushes an event onto the heap.

Parameters:event (EventObject) – event.

PushEvents(events)

Pushes events onto the heap.

Parameters:list[EventObject] (events) – events.

number_of_events

int – number of serialized events on the heap.

class plaso.storage.event_heaps.EventHeap

Bases: plaso.storage.event_heaps.BaseEventHeap

Event heap.

PopEvent()

Pops an event from the heap.

Returns:event. Return type:EventObject

PushEvent(event)

Pushes an event onto the heap.

Parameters:event (EventObject) – event.

class plaso.storage.event_heaps.SerializedEventHeap

Bases: object

Serialized event heap.

data_size

int – total data size of the serialized events on the heap.

Empty()

Empties the heap.

PopEvent()

Pops an event from the heap.

Returns:containing:

int: event timestamp or None if the heap is empty bytes: serialized event or None if the heap is empty

Return type:tuple

PushEvent(timestamp, event_data)

Pushes a serialized event onto the heap.

Parameters:

• timestamp (int) – event timestamp, which contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.
• event_data (bytes) – serialized event.

number_of_events

int – number of serialized events on the heap.

plaso.storage.event_tag_index module

The event tag index.

class plaso.storage.event_tag_index.EventTagIndex

Bases: object

Event tag index.

The event tag index is used to map event tags to events.

It is necessary for the ZIP storage files since previously stored event tags cannot be altered.

GetEventTagByIdentifier(storage_file, event_identifier)

Retrieves the most recently updated event tag for an event.

Parameters:

• storage_file (BaseStorageFile) – storage file.
• event_identifier (AttributeContainerIdentifier) – event attribute container identifier.

Returns:

event tag or None if the event has no event tag.

Return type:

EventTag

SetEventTag(event_tag)

Sets an event tag in the index.

Parameters:event_tag (EventTag) – event tag.

plaso.storage.factory module

This file contains the storage factory class.

class plaso.storage.factory.StorageFactory

Bases: object

Storage factory.

classmethod CreateStorageFile(storage_format)

Creates a storage file.

Parameters:storage_format (str) – storage format. Returns:

a storage file or None if the storage file cannot be

opened or the storage format is not supported.

Return type:StorageFile

classmethod CreateStorageFileForFile(path)

Creates a storage file based on the file.

Parameters:path (str) – path to the storage file. Returns:

a storage file or None if the storage file cannot be

opened or the storage format is not supported.

Return type:StorageFile

classmethod CreateStorageReaderForFile(path)

Creates a storage reader based on the file.

Parameters:path (str) – path to the storage file. Returns:

a storage reader or None if the storage file cannot be

opened or the storage format is not supported.

Return type:StorageReader

classmethod CreateStorageWriter(storage_format, session, path)

Creates a storage writer.

Parameters:

• session (Session) – session the storage changes are part of.
• path (str) – path to the storage file.
• storage_format (str) – storage format.

Returns:

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type:

StorageWriter

classmethod CreateStorageWriterForFile(session, path)

Creates a storage writer based on the file.

Parameters:

• session (Session) – session the storage changes are part of.
• path (str) – path to the storage file.

Returns:

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type:

StorageWriter

plaso.storage.identifiers module

Storage attribute container identifier objects.

class plaso.storage.identifiers.FakeIdentifier(attribute_values_hash)

Bases: plaso.containers.interface.AttributeContainerIdentifier

Fake attribute container identifier intended for testing.

attribute_values_hash

int – hash value of the attribute values.

CopyToString()

Copies the identifier to a string representation.

Returns:unique identifier or None. Return type:str

class plaso.storage.identifiers.SQLTableIdentifier(name, row_identifier)

Bases: plaso.containers.interface.AttributeContainerIdentifier

SQL table attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a SQLite database file.

name

str – name of the table.

row_identifier

int – unique identifier of the row in the table.

CopyToString()

Copies the identifier to a string representation.

Returns:unique identifier or None. Return type:str

class plaso.storage.identifiers.SerializedStreamIdentifier(stream_number, entry_index)

Bases: plaso.containers.interface.AttributeContainerIdentifier

Serialized stream attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a ZIP file.

stream_number

int – number of the serialized attribute container stream.

entry_index

int – number of the serialized event within the stream.

CopyToString()

Copies the identifier to a string representation.

Returns:unique identifier or None. Return type:str

plaso.storage.interface module

The storage interface classes.

class plaso.storage.interface.BaseStorageFile

Bases: plaso.storage.interface.BaseStore

Interface for file-based stores.

class plaso.storage.interface.BaseStore

Bases: object

Storage interface.

AddAnalysisReport(analysis_report)

Adds an analysis report.

Parameters:analysis_report (AnalysisReport) – analysis report.

AddError(error)

Adds an error.

Parameters:error (ExtractionError) – error.

AddEvent(event)

Adds an event.

Parameters:event (EventObject) – event.

AddEventSource(event_source)

Adds an event source.

Parameters:event_source (EventSource) – event source.

AddEventTag(event_tag)

Adds an event tag.

Parameters:event_tag (EventTag) – event tag.

Close()

Closes the storage.

GetAnalysisReports()

Retrieves the analysis reports.

Yields:AnalysisReport – analysis report.

GetErrors()

Retrieves the errors.

Yields:ExtractionError – error.

GetEventData()

Retrieves the event data.

Yields:EventData – event data.

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters:identifier (AttributeContainerIdentifier) – event data identifier. Returns:event data or None if not available. Return type:EventData

GetEventSources()

Retrieves the event sources.

Yields:EventSource – event source.

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters:identifier (AttributeContainerIdentifier) – event tag identifier. Returns:event tag or None if not available. Return type:EventTag

GetEventTags()

Retrieves the event tags.

Yields:EventTag – event tag.

GetEvents()

Retrieves the events.

Yields:EventObject – event.

GetNumberOfEventSources()

Retrieves the number event sources.

Returns:number of event sources. Return type:int

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Yields:EventObject – event.

HasAnalysisReports()

Determines if a store contains analysis reports.

Returns:True if the store contains analysis reports. Return type:bool

HasErrors()

Determines if a store contains extraction errors.

Returns:True if the store contains extraction errors. Return type:bool

HasEventTags()

Determines if a store contains event tags.

Returns:True if the store contains event tags. Return type:bool

Open(**kwargs)

Opens the storage.

ReadPreprocessingInformation(knowledge_base)

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters:serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters:storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)

Writes preprocessing information.

Parameters:knowledge_base (KnowledgeBase) – contains the preprocessing information.

WriteSessionCompletion(session_completion)

Writes session completion information.

Parameters:session_completion (SessionCompletion) – session completion information.

WriteSessionStart(session_start)

Writes session start information.

Parameters:session_start (SessionStart) – session start information.

WriteTaskCompletion(task_completion)

Writes task completion information.

Parameters:task_completion (TaskCompletion) – task completion information.

WriteTaskStart(task_start)

Writes task start information.

Parameters:task_start (TaskStart) – task start information.

class plaso.storage.interface.SerializedAttributeContainerList

Bases: object

Serialized attribute container list.

The list is unsorted and pops attribute containers in the same order as pushed to preserve order.

The GetAttributeContainerByIndex method should be used to read attribute containers from the list while it being filled.

data_size

int – total data size of the serialized attribute containers on the list.

next_sequence_number

int – next attribute container sequence number.

Empty()

Empties the list.

GetAttributeContainerByIndex(index)

Retrieves a specific serialized attribute container from the list.

Parameters:index (int) – attribute container index. Returns:serialized attribute container data or None if not available. Return type:bytes Raises:IndexError – if the index is less than zero.

PopAttributeContainer()

Pops a serialized attribute container from the list.

Returns:serialized attribute container data. Return type:bytes

PushAttributeContainer(serialized_data)

Pushes a serialized attribute container onto the list.

Parameters:serialized_data (bytes) – serialized attribute container data.

number_of_attribute_containers

int – number of serialized attribute containers on the list.

class plaso.storage.interface.StorageFileMergeReader(storage_writer)

Bases: plaso.storage.interface.StorageMergeReader

Storage reader interface for merging file-based stores.

class plaso.storage.interface.StorageFileReader(path)

Bases: plaso.storage.interface.StorageReader

File-based storage reader interface.

Close()

Closes the storage reader.

GetAnalysisReports()

Retrieves the analysis reports.

Returns:analysis report generator. Return type:generator(AnalysisReport)

GetErrors()

Retrieves the errors.

Returns:error generator. Return type:generator(ExtractionError)

GetEventData()

Retrieves the event data.

Returns:event data generator. Return type:generator(EventData)

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters:identifier (AttributeContainerIdentifier) – event data identifier. Returns:event data or None if not available. Return type:EventData

GetEventSources()

Retrieves the event sources.

Returns:event source generator. Return type:generator(EventSource)

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters:identifier (AttributeContainerIdentifier) – event tag identifier. Returns:event tag or None if not available. Return type:EventTag

GetEventTags()

Retrieves the event tags.

Returns:event tag generator. Return type:generator(EventTag)

GetEvents()

Retrieves the events.

Returns:event generator. Return type:generator(EventObject)

GetNumberOfAnalysisReports()

Retrieves the number analysis reports.

Returns:number of analysis reports. Return type:int

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Returns:event generator. Return type:generator(EventObject)

ReadPreprocessingInformation(knowledge_base)

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters:serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters:storage_profiler (StorageProfiler) – storage profiler.

class plaso.storage.interface.StorageFileWriter(session, output_file, storage_type='session', task=None)

Bases: plaso.storage.interface.StorageWriter

Defines an interface for a file-backed storage writer.

AddAnalysisReport(analysis_report)

Adds an analysis report.

Parameters:analysis_report (AnalysisReport) – analysis report. Raises:IOError – when the storage writer is closed.

AddError(error)

Adds an error.

Parameters:error (AnalysisError|ExtractionError) – an analysis or extraction error. Raises:IOError – when the storage writer is closed.

AddEvent(event)

Adds an event.

Parameters:event (EventObject) – an event. Raises:IOError – when the storage writer is closed.

AddEventData(event_data)

Adds event data.

Parameters:event_data (EventData) – event data. Raises:IOError – when the storage writer is closed.

AddEventSource(event_source)

Adds an event source.

Parameters:event_source (EventSource) – an event source. Raises:IOError – when the storage writer is closed.

AddEventTag(event_tag)

Adds an event tag.

Parameters:event_tag (EventTag) – an event tag. Raises:IOError – when the storage writer is closed.

CheckTaskReadyForMerge(task)

Checks if a task is ready for merging with this session storage.

If the task is ready to be merged, this method also sets the task’s storage file size.

Parameters:task (Task) – task. Returns:True if the task is ready to be merged. Return type:bool Raises:IOError – if the storage type is not supported or if the temporary path for the task storage does not exist.

Close()

Closes the storage writer.

Raises:IOError – when the storage writer is closed.

CreateTaskStorage(task)

Creates a task storage.

The task storage is used to store attributes created by the task.

Parameters:task (Task) – task. Returns:storage writer. Return type:StorageWriter Raises:IOError – if the storage type is not supported.

FinalizeTaskStorage(task)

Finalizes a processed task storage.

Moves the task storage file from its temporary directory to the processed directory.

Parameters:task (Task) – task. Raises:IOError – if the storage type is not supported or if the storage file cannot be renamed.

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters:identifier (AttributeContainerIdentifier) – event data identifier. Returns:event data or None if not available. Return type:EventData

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters:identifier (AttributeContainerIdentifier) – event tag identifier. Returns:event tag or None if not available. Return type:EventTag

GetEventTags()

Retrieves the event tags.

Returns:event tag generator. Return type:generator(EventTag)

GetEvents()

Retrieves the events.

Returns:event generator. Return type:generator(EventObject) Raises:IOError – when the storage writer is closed.

GetFirstWrittenEventSource()

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns:event source or None if there are no newly written ones. Return type:EventSource Raises:IOError – when the storage writer is closed.

GetNextWrittenEventSource()

Retrieves the next event source that was written after open.

Returns:event source or None if there are no newly written ones. Return type:EventSource Raises:IOError – when the storage writer is closed.

GetProcessedTaskIdentifiers()

Identifiers for tasks which have been processed.

Returns:task identifiers that are processed. Return type:list[str] Raises:IOError – if the storage type is not supported or if the temporary path for the task storage does not exist.

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Returns:event generator. Return type:generator(EventObject) Raises:IOError – when the storage writer is closed.

Open()

Opens the storage writer.

Raises:IOError – if the storage writer is already opened.

PrepareMergeTaskStorage(task)

Prepares a task storage for merging.

Moves the task storage file from the processed directory to the merge directory.

Parameters:task (Task) – task. Raises:IOError – if the storage type is not supported or if the storage file cannot be renamed.

ReadPreprocessingInformation(knowledge_base)

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information. Raises:IOError – when the storage writer is closed.

RemoveProcessedTaskStorage(task)

Removes a processed task storage.

Parameters:task (Task) – task. Raises:IOError – if the storage type is not supported or if the storage file cannot be removed.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters:serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters:storage_profiler (StorageProfiler) – storage profiler.

StartMergeTaskStorage(task)

Starts a merge of a task storage with the session storage.

Parameters:task (Task) – task. Returns:storage merge reader of the task storage. Return type:StorageMergeReader Raises:IOError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.

StartTaskStorage()

Creates a temporary path for the task storage.

Raises:IOError – if the storage type is not supported or if the temporary path for the task storage already exists.

StopTaskStorage(abort=False)

Removes the temporary path for the task storage.

The results of tasks will be lost on abort.

Parameters:abort (bool) – True to indicate the stop is issued on abort. Raises:IOError – if the storage type is not supported.

WritePreprocessingInformation(knowledge_base)

Writes preprocessing information.

Parameters:knowledge_base (KnowledgeBase) – contains the preprocessing information. Raises:IOError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

WriteSessionCompletion(aborted=False)

Writes session completion information.

Parameters:aborted (Optional[bool]) – True if the session was aborted. Raises:IOError – if the storage type is not supported or when the storage writer is closed.

WriteSessionStart()

Writes session start information.

Raises:IOError – if the storage type is not supported or when the storage writer is closed.

WriteTaskCompletion(aborted=False)

Writes task completion information.

Parameters:aborted (Optional[bool]) – True if the session was aborted. Raises:IOError – if the storage type is not supported or when the storage writer is closed.

WriteTaskStart()

Writes task start information.

Raises:IOError – if the storage type is not supported or when the storage writer is closed.

class plaso.storage.interface.StorageMergeReader(storage_writer)

Bases: object

Storage reader interface for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)

Reads attribute containers from a task storage file into the writer.

Parameters:

• callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.
• maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns:

True if the entire task storage file has been merged.

Return type:

bool

class plaso.storage.interface.StorageReader

Bases: object

Storage reader interface.

Close()

Closes the storage reader.

GetAnalysisReports()

Retrieves the analysis reports.

Yields:AnalysisReport – analysis report.

GetErrors()

Retrieves the errors.

Yields:ExtractionError – error.

GetEventData()

Retrieves the event data.

Yields:EventData – event data.

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters:identifier (AttributeContainerIdentifier) – event data identifier. Returns:event data or None if not available. Return type:EventData

GetEventSources()

Retrieves event sources.

Yields:EventSourceObject – event source.

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters:identifier (AttributeContainerIdentifier) – event tag identifier. Returns:event tag or None if not available. Return type:EventTag

GetEventTags()

Retrieves the event tags.

Yields:EventTag – event tag.

GetEvents()

Retrieves the events.

Yields:EventObject – event.

GetNumberOfAnalysisReports()

Retrieves the number analysis reports.

Returns:number of analysis reports. Return type:int

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Yields:EventObject – event.

ReadPreprocessingInformation(knowledge_base)

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters:serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters:storage_profiler (StorageProfiler) – storage profile.

__enter__()

Make usable with “with” statement.

__exit__(exception_type, value, traceback)

Make usable with “with” statement.

class plaso.storage.interface.StorageWriter(session, storage_type='session', task=None)

Bases: object

Storage writer interface.

number_of_analysis_reports

int – number of analysis reports written.

number_of_errors

int – number of errors written.

number_of_event_sources

int – number of event sources written.

number_of_event_tags

int – number of event tags written.

number_of_events

int – number of events written.

AddAnalysisReport(analysis_report)

Adds an analysis report.

Parameters:analysis_report (AnalysisReport) – a report.

AddError(error)

Adds an error.

Parameters:error (ExtractionError) – an error.

AddEvent(event)

Adds an event.

Parameters:event (EventObject) – an event.

AddEventSource(event_source)

Adds an event source.

Parameters:event_source (EventSource) – an event source.

AddEventTag(event_tag)

Adds an event tag.

Parameters:event_tag (EventTag) – an event tag.

Close()

Closes the storage writer.

CreateTaskStorage(task)

Creates a task storage.

Parameters:task (Task) – task. Returns:storage writer. Return type:StorageWriter Raises:NotImplementedError – since there is no implementation.

FinalizeTaskStorage(task)

Finalizes a processed task storage.

Parameters:task (Task) – task. Raises:NotImplementedError – since there is no implementation.

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters:identifier (AttributeContainerIdentifier) – event data identifier. Returns:event data or None if not available. Return type:EventData

GetEvents()

Retrieves the events.

Yields:EventObject – event.

GetFirstWrittenEventSource()

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns:event source or None if there are no newly written ones. Return type:EventSource

GetNextWrittenEventSource()

Retrieves the next event source that was written after open.

Returns:event source or None if there are no newly written ones. Return type:EventSource

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Yields:EventObject – event.

Open()

Opens the storage writer.

PrepareMergeTaskStorage(task)

Prepares a task storage for merging.

Parameters:task (Task) – task. Raises:NotImplementedError – since there is no implementation.

ReadPreprocessingInformation(knowledge_base)

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

RemoveProcessedTaskStorage(task)

Removes a processed task storage.

Parameters:task (Task) – task. Raises:NotImplementedError – since there is no implementation.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters:serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters:storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)

Writes preprocessing information.

Parameters:knowledge_base (KnowledgeBase) – contains the preprocessing information.

WriteSessionCompletion(aborted=False)

Writes session completion information.

Parameters:aborted (Optional[bool]) – True if the session was aborted.

WriteSessionStart()

Writes session start information.

WriteTaskCompletion(aborted=False)

Writes task completion information.

Parameters:aborted (Optional[bool]) – True if the session was aborted.

WriteTaskStart()

Writes task start information.

plaso.storage.logger module

The storage sub module logger.

plaso.storage.time_range module

Storage time range objects.

class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp)

Bases: object

Date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

duration

int – duration of the range in microseconds.

end_timestamp

int – timestamp that marks the end of the range.

start_timestamp

int – timestamp that marks the start of the range.

Module contents

plaso.unix package

Submodules

plaso.unix.bsmtoken module

This file contains the Basic Security Module definitions.

Module contents

plaso.winnt package

Submodules

plaso.winnt.human_readable_service_enums module

This file contains constants for making service keys more readable.

plaso.winnt.known_folder_ids module

This file contains the Windows NT Known Folder identifier definitions.

plaso.winnt.language_ids module

This file contains the Windows NT Language identifiers.

plaso.winnt.shell_folder_ids module

This file contains the Windows NT shell folder identifier definitions.

plaso.winnt.time_zones module

This file contains the Windows NT time zone definitions.

The Windows time zone names can be obtained from the following Windows Registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTime Zones

Module contents

Submodules

plaso.dependencies module

Functionality to check for the availability and version of dependencies.

This file is generated by l2tdevtools update-dependencies.py, any dependency related changes should be made in dependencies.ini.

plaso.dependencies.CheckDependencies(verbose_output=True)

Checks the availability of the dependencies.

Parameters:verbose_output (Optional[bool]) – True if output should be verbose. Returns:True if the dependencies are available, False otherwise. Return type:bool

Module contents

Super timeline all the things (Plaso Langar Að Safna Öllu).

log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso is the Python rewrite of log2timeline.

Indices and tables

• Index
• Module Index
• Search Page